|
Scenario 1:
The destination MAC address on the packet is not matching with FortiGate interface MAC as below. The packet is reaching port2 with destination MAC 0000 0000 0001 instead of the Fortigate MAC 02:09:63:23:02:01.
FortiGate will drop the packet at the physical network interface level and will not be forwarded to the CPU for processing, hence it is not possible to see it under debug flow traces.
FortiGate-LAB # diagnose sniffer packet port2 "host 6.6.6.6" 6
Using Original Sniffing Mode
interfaces=[port2]
filters=[host 6.6.6.6]
11.746378 port2 -- 172.16.1.2.60000 -> 6.6.6.6.443: udp 18
0x0000 0000 0000 0001 0000 0000 0002 0800 4500 ..............E.
0x0010 002e 0000 4000 4011 81a1 ac10 0102 0606 ....@.@.........
0x0020 0606 ea60 01bb 001a 5a80 0000 0000 0000 ...`....Z.......
0x0030 0000 0000 0000 0000 0000 0000 ............
FortiGate-LAB # get hardware nic port2
Name: port2
Driver: virtio_net
Version: 1.0.0
Bus: 0000:00:04.0
Hwaddr: 02:09:63:23:02:01
Devices in HA uses virtual MAC address and it is common to see this issue in such environments when the end users try to send packets using physical mac instead of the virtual mac.
Scenario 2:
Access Control Lists (ACLs) applied to the specific interface can block traffic at the physical network interface before the packets are analyzed by the CPU. This feature is available on FortiGates with NP6 processors. It is possible to use 'diagnose firewall acl counter' to check if the packets are getting dropped by ACLs.
FortiGate-LAB # diagnose firewall acl counter
ACL id 1 dropped 2 packets
|
