Packet Capture / Sniffer setup on a Fortigate without a disk

Here's how I go about to capture packets in a Fortigate Firewall which does not have a disk.

1. Use a good SSH Client that can log the session, such as putty. And setup the log session to file feature.
This will than allow me to get the capture output as a text file and run through the utility that converts it to a pcap file.

2. Setup the sniffer on Fortigate:

diagnose sniffer packet <interface_name> <‘filter’> <verbose> <count> <tsformat>

For example:

diagnose sniffer packet any "host <src_host_ip> and host <dst_host_ip>" 6

(verbose=6 gives interface names to the output, we'll get as much info as we need, thus the maximum level of verboseness)

 

3. Cleanup the text file and run it through the conversion utility.

Fortinet utility (there's linux perl and windows exe version here)

Usage: 

fgt2eth.exe -in <file captured>.txt -out <output name>.cap

 

Alternatives which I haven't test yet:

fgsniffer (announcement post on fortinet forums)

sniftran 

4. Open the converted pcap file in Wireshark.

5. Get a dark coffee and dive deep into the capture! :)

Ref: Knowledge base article (Fortigate)

Netflow setup for Cisco devices

Let's see how we Export Netflow from Cisco Switches to Solarwinds Netflow:

1. Create Flow Record
2. Create Flow Exporter
3. Create Flow Monitor
4. Apply flow monitor to interfaces

Example for Cisco Catalyst 9200/9300 devices

This setup will also solve the following error Solarwinds gives when exporting netflow from Cat9200/9300:

"The NetFlow Receiver Service [Solarwinds-Host] received an invalid V9 template with ID 256 from device . See knowledge base for more information."

Then you must do a similar configuration to the following: 

flow record NETFLOW_INPUT_RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface input
collect counter bytes long
collect counter packets long
!
flow record NETFLOW_OUTPUT_RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface output
collect counter bytes long
collect counter packets long
!
flow exporter NETFLOW_EXPORTER
destination <ip_address_of_Solarwinds_server>
source <your_source_interface_for_netflow_traffic>
transport udp 2055
!
flow monitor NETFLOW_MONITOR_OUTPUT
exporter NETFLOW_EXPORTER
record NETFLOW_OUTPUT_RECORD
!
flow monitor NETFLOW_MONITOR_INPUT
exporter NETFLOW_EXPORTER
record NETFLOW_INPUT_RECORD
!
sampler NETFLOW_SAMPLER
mode random 1 out-of 2
!
interface <the_interface_which_you_want_to_export_netflow_of>
ip flow monitor NETFLOW_MONITOR_INPUT sampler NETFLOW_SAMPLER input
ip flow monitor NETFLOW_MONITOR_OUTPUT sampler NETFLOW_SAMPLER output
!

NOTES:

 If you have NBAR:

#collect application name

If you use BGP:

#collect routing source as

#collect routing destination as

Some Other Links:

https://community.cisco.com/t5/switching/netflow-v-s-netflow-lite/td-p/1892027

Netflow Lite
Only with nprobe: https://www.ntop.org/products/netflow/nprobe/
Project: https://www.plixer.com/blog/netflow/catalyst-4948e-netflow-lite-exports/
Scrutinizer, analyzer: https://www.plixer.com/products/scrutinizer/

Ref: Blog post_for_9200_setup