How to Diagnose Traffic issue between 2 hosts with a Fortigate Firewall?

Context of a real-life scenario:

For one of my customers, I needed to configure strict Firewall rules between VLANS. In VLAN A had an Exchange Server and in VLAN B, a Veeam Server that needed to backup the Exchanger server VM.

Each time I tried to run a backup of the Exchange server Veeam returned me a network error (RPC Unavailable). Even if I authorized the predefined RPC service in the Firewall Policy Rule, it didn’t work.

The best thing to permit understand what’s going wrong is to use built-in sniffer of the Fortigate Unit. Depending of the Fortigate Unit model you have the sniffer utility is available in the GUI or via CLI or both. More your unit is near from entry level model, more you will need to run advanced tools from CLI.

In all cases, my preferred way for Troubleshooting is the CLI. Let’s begin with it.

Run the Fortigate Sniffer utility from the CLI:

  1. How to access the CLI on the fortigate unit?

You have 2 options:

  • in the GUI interface (Yes Yes!!! from the GUI 🙂 )
  • run an SSH session from any SSH client (Putty stays the most current and most used)

For more information on Putty, please go on the official website (Putty Website)

If you want to keep a log of what you’ve done and be able to display a big quantity of information, I strongly recommend you to use Putty instead of the CLI integrated by default in the GUI interface.

From the GUI

  1. open the URL of your firewall
  2. Login to the web interface
  3. click on CLI Widget as show here

From the SSH client

Prerequisite: Enable SSH Server on the Interface of the Fortigate Unit from where the SSH Client will run.

Example: Your server where Putty is installed has IP and your Fortigate unit has an IP of Be sure to enable SSH on the interface where the Fortigate has its IP via the GUI



  1. Run Putty or any other SSH client from your server
  2. Connect to the Fortigate by entering its IP
  3. Type your credentials
  4. Launch a sniffer session by typing the following command:

diag sniffer packet <interface_name> <‘filter’> <verbose> <count>

in real case scenario here is what you should type if you want to see the traffic between host A and host B

diag sniffer packet any ‘src host and dst host’ 1

Command Explanation:

diag sniffer packet: Is the sniffer running
any: is the interface name on which the sniffer should listen for traffic that needs to be monitored. In my case I’ve chosen ANY as the hosts are located on 2 different interfaces.
‘src host and dst host’: is the filter. I want to see only the traffic between host A & B with no protocol filtering
1: is the verbose level of the sniffer

Note: Concerning the verbose level of the sniffer you have 6 levels. Choose the appropriate one depending of the issue you need to resolve

Verbosity levels:

1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name


144.718932 -> psh 3914262130 ack 63685806
144.718952 -> psh 3914262130 ack 63685806
144.720622 -> syn 2197328095
144.755747 -> ack 63685886
144.755805 -> ack 63685886
144.755825 -> ack 63685886
147.708245 -> syn 2197328095
153.708268 -> syn 2197328095
174.760978 -> rst 3914262210 ack 63685886
174.761066 -> rst 3914262210 ack 63685886
174.761090 -> rst 3914262210 ack 63685886
174.761393 -> rst 780143497 ack 3214492343
174.761460 -> rst 780143497 ack 3214492343
174.761481 -> rst 780143497 ack 3214492343
188.353298 -> rst 2393120380 ack 3596781657
188.353391 -> rst 2393120380 ack 3596781657
188.353414 -> rst 2393120380 ack 3596781657

In my case, I could determine that some RPC ports and CIFS ports were blocked as the firewall returned me some rst (reset from source commands)