Quantcast
Viewing all articles
Browse latest Browse all 76

Sniffer and debug flow in presence of NP2 ports

December 26, 2016, 10:19 pm
$
0
0
Sniffer and debug flow in presence of NP2 ports

On FortiGate that have NP2 interfaces (for example: FortiGate-310B, FortiGate-620B....), some traffic is off-loaded at hardware level. That means that the traffic should not go to the CPU (unless it is traffic destined to the FortiGate itself) and therefore not seen by a debug flow command or a sniffer trace.

However, what will be always seen are the first packets of any new session establishment, for example the syn/syn-ack/ack. Once the session is established, no further packets will be seen anymore as they will use the fast-path.

To optimize performance, NP2/NP4 processors do not include traffic logging capabilities. Because of this and because offloaded traffic bypasses FortiOS, no traffic logs are generated for traffic offloaded to NP2/NP4 processors.

For troubleshooting purpose and when it is desired to capture packets or check the flow on the FortiGate, you can bypass H/W acceleration with the following command on a specific port.

Be aware that this might affect performance and should only be used for troubleshooting purpose.

 diagnose npu np2 fastpath-sniffer enable <port(s)_number>

==> this now shows all traffic for all sessions to/from this or those port(s) when using the sniffer or the diag debug flow commands

The command below will re-enable H/W offloading :

 diagnose npu np2 fastpath-sniffer disable <port(s)_number>

Note that this is not saved in the configuration and will be lost after a reboot. You can also use the "config system npu" to disable offloading of IPSec VPN traffic.


Search
Viewing all articles
Browse latest Browse all 76
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>