You can use packet capturing to learn about network activity seen by your FortiGate by creating and saving packet capture filters that define the packets to capture. You can then run these filters at any time, download the resulting .pcap (packet capture) file, and use a tool like Wireshark to analyze the results.
To use packet capture through the GUI, your FortiGate model must have internal storage and disk logging must be enabled. If you are not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.
1. Creating packet capture filters
Go to System > Network > Packet Capture and create a new filter. Below are a few examples of different filters you can use.
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
The simplest filter just captures all of the packets received by an interface. This example captures 10 packets received by the mgmt1 interface.
You can select Enable Filters to restrict the packets to capture.
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the Ednet wireless interface that have a source or destination address in the range 172.20.120.10 to 172.20.120.20.
This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the port1 interface.
This filter captures the first 1000 DNS packets querying the Google DNS server (IP address 8.8.8.8) with VLAN IDs 37 or 39.
2. Results
Running packet capture filters may affect FortiGate performance.
Go to System > Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops.
You can stop and restart multiple filters at any time.
Download any saved .pcap file to your computer. You can open the file with a .pcap file viewer like Wireshark.