FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rsingla
Staff
Staff
Article Id 196204

Description

 
This article describes how to Calculate Fragmented Packets per second hitting a FortiGate.


Scope

 
In the absence of an SNMP monitoring solution or graphs that can display the number of Fragmented packets hitting the FortiGate, a simple process can be performed manually also.


Solution

 
On the FortiGate, run these 2 commands every 5 seconds, the commands can be repeated any number of times depending upon the requirements.
 
get system status
diagnose snmp ip frags
 
The sample output looks like this:
 
FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v6.2.5,build1142,200819 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: FGVMEVUEKETZHND9
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Expired
Evaluation License Expires: Mon Nov  9 04:27:53 2020
VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1142
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue Nov 10 03:55:12 2020
 
 
FortiGate-VM64-KVM # diagnose snmp ip frags
ReasmTimeout = 2167
ReasmReqds   = 26235863
ReasmOKs     = 13114634
ReasmFails   = 5083
FragOKs      = 13114634
FragFails    = 0
FragCreates  = 26229268
 
Repeat these commands multiple times and note down the below information:
 
1) From the output of  'get system status' the last line shows the 'System Time', it is needed to check the minutes & seconds from this output.
2) From the output of 'diagnose snmp ip frags' check the value of 'ReasmReqds'.
 
The Formula to calculate the number of fragmented packets per second hitting FortiGate will be as below:

 

Latest Output of ReasmReqds = X.
Previous Output of ReasmReqds = Y.
 
Latest Time stamp : T2.
Previous Time stamp : T1.
 
Formula : (X-Y)/(T2-T1) = Number of fragmented packets per second hitting the FortiGate.
 
So, for example:
 
If the value of ReasmReqds at Time 03:55:12 is 100000 and at time 03:55:17 is 200000, the time difference between 2 outputs is 5 seconds.
 
As per the formula : (200000-100000)/5 = 20000 fragmented packets per second.
 
This will give an average number, the same formula can be repeated for consecutive outputs to get a pattern of the fragmented packets numbers.
Starting with FortiOS 7.0.6 , a new command was also introduced which provides the ratio of Fragmented packets per second -->
FortiGate-VM64-KVM # diagnose snmp ip frags rate

Additional info related to the fragmentation counters is given below:

FragOKs: This field indicates the number of IP datagrams that have been successfully fragmented.
FragFails: This field represents the number of IP datagrams that were discarded because needed to be fragmented, but fragmentation was not possible.

This situation can occur when the 'Don't Fragment' (DF) flag is set in the packet, indicating that it should not be fragmented.
FragCreates: The FragCreates field displays the number of IP datagram fragments that have been generated as a result of fragmentation. It counts the fragments that were created during the fragmentation process.
ReasmReqds: This field shows the number of IP fragments received that required reassembly. When a fragmented packet reaches its destination, the receiving device needs to reassemble the fragments to reconstruct the original packet. ReasmReqds keeps track of the count of fragments that needed reassembly.
ReasmOKs: ReasmOKs indicate the number of IP datagrams that were successfully reassembled.
ReasmFails: This field reflects the number of failures detected by the IP reassembly algorithm. These failures can occur due to timeout or errors during the reassembly process. It is important to note that ReasmFails does not necessarily represent the count of discarded IP fragments, as some reassembly algorithms can lose track of the number of fragments while combining it as it is received.