Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
haldahan
Staff
Staff

Created on ‎11-12-2022 11:52 PM

Article Id 229628

Technical Tip: How to decode UDP payload for reply packets for sessions synchronized between FGCP clusters

 

Description This article describes how to decode UDP payload for reply packets between FGCP clusters sent through heartbeat link.
Scope

Synchronization between FGCP clusters and supporting UTM inspection on asymmetric traffic on L3 is used:

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/324430/support-utm-inspection-on-asy...
Solution

1) The return traffic passing through the heartbeat link between two clusters would be encapsulated as UDP traffic (24 bytes private header are added to UDP payload)

2) Make a packet capture on the link used as a heartbeat between two FGCP clusters.

3) Open the file using WireShark.

4) Select the packet to decode.

5) In Packet Bytes View, 'right-click' on it and select '…as a Hex Stream'.

 

2.png

 

6) Paste to 'Hex Packet Decoder' in below link and select decode https://hpd.gasmi.net/.

7) Remove 24 bytes private header from UDP payload. In below screenshot, it is the one enclosed in red.

 

3.jpg

 

8) Copy the one enclosed in orange and paste it to Hex Packet Decoder.

Then select 'Decode'.

For example, the below packet is for the SSH session from 172.18.16.2 to 172.18.32.3.

 

4.jpg5.jpg

 

4034
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.