FortiGate Troubleshooting
Operational deep dives for FortiGate engineers — packet flow from the wire
to the NP7 ASIC and back out again, NPU offload mechanics, SD-WAN service
rule selection, the iprope policy chain, central NAT vs policy NAT, flow
vs proxy UTM, and the diagnose, get, and
show commands that come up under pressure.
A Day in the Life of a Packet on a 50G FortiGate
A five-part deep dive following one packet from the moment it arrives
on a 25G/10G port through every decision point in FortiOS — NP7 fast
path, stateful inspection, RPF, SD-WAN service rules, the FIB,
firewall policy, NAT, security profiles, and the egress path. Ends
with a single-page command reference covering every diagnose,
get, and show in the series, organised by
symptom.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 1: Ingress, NP7, and the Fast Path
Where the packet is born on a 50G FortiGate. From the wire and DMA, through the NP7 SoC's session cache, IPSA, NTurbo, and the moment a packet either flies through hardware or crosses the bridge into the kernel slow path.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 2: Stateful Inspection, Session Lookup, and Anti-Spoofing
The packet has been punted from the NP7 to the kernel. Now FortiOS does the things ASICs cannot: IP integrity, DoS sensors, RPF, session table lookup, helpers, and the state machine that decides whether this is a brand new flow or one we already know.
Other Troubleshooting Posts
Standalone troubleshooting and diagnostics write-ups that don't form part of the packet-flow series.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 3: Routing, Policy Routes, and SD-WAN Service Rules
The packet has a session entry and now needs to know where to go. FortiOS resolves that in a strict order: policy routes, then SD-WAN service rules, then the FIB. Each layer has its own logic, its own match criteria, and its own diagnostic surface.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 4: Firewall Policy, NAT, and Security Profiles
Routing told the packet where it's going. Firewall policy decides whether it's allowed, NAT rewrites it, and security profiles inspect it. Inside the iprope chain, central NAT vs policy NAT, VIPs, IP pools, and the flow-vs-proxy UTM pipeline.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 5: Egress, NPU Offload, and the Full Troubleshooting Cookbook
The packet is decided. Now it has to actually leave. Egress shaping, NPU offload re-evaluation, IPsec encap, ARP, transmit. Then a single-page reference of every diagnose, get, and show command from across this series.
-
tcpdump Deep Dive: BPF Filters, Capture Rotation, and Cross-Mapping to FortiGate's diagnose sniffer packet
A practical, command-heavy guide to getting real value out of tcpdump — precise BPF filters, production-grade ring-buffer captures, and a side-by-side mapping to FortiGate's diagnose sniffer packet so you can switch between the two without losing your place.
How to use this section
If you're new to FortiGate packet flow, work through the five-part series in order — each part hands the packet off to the next stage and the diagnostic vocabulary builds up as you go. If you're triaging a live issue, jump straight to Part 5: it ends with a complete command cookbook organised by symptom (sniffer, driver, NPU, sessions, policy, NAT, routing, SD-WAN, UTM, VPN, auth, flow trace, CPU/memory, HA), plus a 10-step triage discipline.
Diagnostics and troubleshooting from a certification angle are covered in the NSE4 and NSE5 series.