Friday, June 11, 2010

Packet Sniffers, Traffic Counters and NP2 Accelerated Ports

After switching from a FG800 platform (non accelerated network ports) to a 310B (NP2 accelerated ports) I noticed that the "diag sniffer packet" command is no longer very useful.

  • Packets are only displayed on the first pass through the firewall. Subsequent packets appear to be "flowed" and not displayed by the sniffer.
  • IP addresses are incorrect in certain cases. The sniffer shows packets as originating from the firewall's IP address. When performing a packet capture on the target host the source is that of the original sending host, so a discrepancy there.
  • The traffic counters in the firewall policy screen no longer show accurate values. We are receiving several gigs of log traffic through the firewall per day but after several weeks of uptime the counter only displays ~250 MByte of traffic. 
  • SNMP statistics do not show correct values due to fastpathing of packets
Solution:

For troubleshooting purposes and when it is desired to capture packets or check the flow on the FortiGate, you can bypass H/W acceleration with the following command on a specific port.

Be aware that this might affect performance and should only be used for troubleshooting purpose.

 "diagnose npu np2 fastpath-sniffer enable port(s)_number"

This now shows all traffic for all sessions to/from this or those port(s) when using the sniffer or the diag debug flow commands

The command below will re-enable H/W offloading :

 "diagnose npu np2 fastpath-sniffer disable port(s)_number"

Note that this is not saved in the configuration and will be lost after a reboot. 

(From Fortinet Knowledge Base) 

    6 comments:

    Anonymous said...

    Beyond numbers, do the NP2 and CP ASICs give "real life" boosted performance ?
    We have a FG800, about 150 policies, VIP, and hundreds of angry users that are blocked by the FG WebFilter.
    We experiment "max session reached" times to times.

    Will the ASICs help us ?
    Will it raise the limit ?

    Michael said...

    Check Point's SecureXL or "Performance Pack" also has some limitations i.e. When using TCPDUMP or FW MONITOR you don't see all packets and NAT is totally hidden from the captures.

    Stephane said...

    based on my own experience, I do think that a FGT310B really outperform an old FGT800...
    So with a FGT620B...

    Anonymous said...

    I have a customer that is have what sounds like a similar scenario, but regarding SNMP statistics.
    The interface traffic statistics he is getting via his SNMP manager is way too low.

    Sebastian said...

    Yes, that is confirmed. We have the same problem. Disabling fastpath on the appropriate interfaces restores SNMP statistics to the proper values.

    Anonymous said...

    I know it's been a long time since this post has seen a reply, but...
    Has this been fixed yet?

    I seem to have problems with traffic counters that are WAY too low in the gui and with snmp.

    I have the problem with:
    the acl's,
    vpn interfaces
    logical interfaces,

    but not with:
    physical interfaces/aggregates.

    I'll try the suggested solution asap.

    I have the issue with versions 4-mr2-patch9 and 4-mr3-patch5 on 310B's.