Comment
Author: Admin | 2025-04-28
DescriptionThis article describes why it is necessary to disable ASIC on firewall policy.ScopeFortiGate with ASIC.SolutionThe FortiGate integrated sniffer will not capture packets that are offloaded with the integrated ASIC, so NP6 or NP7, including the 'lite' versions (NP6lite, for example). Packets can be seen normally with a flow trace, but the sniffer will not show these.If necessary, run a flow trace, that visualizes the policy evaluation of any given packet, in the following way:diag debug console timestamp enablediag debug flow filter addr diag debug flow show iprope enablediag debug enablediag debug flow trace start 20This will capture 20 packets, identifiable with the 'trace_id='.The packet capture itself on FortiGate would run as:diag sniffer packet any 'host ' 6 20 aWhich would also capture 20 packets, however, only the ones that are not offloading. To change the behavior, disable the ASIC offloading in the firewall policy.Command to disable ASIC in policy:config firewall policy edit set auto-asic-offload disableendNote:Create a more specific firewall policy and then disable ASIC offloading just there, to prevent CPU overutilization. Remember to revert the changes once the troubleshooting is done.Command to re-enable the ASIC in policy after testing:config firewall policy edit set auto-asic-offload enableend
Add Comment