Diagnosing NPU-based interfaces

You can use the commands in this section to diagnose sessions offloaded to network processors (also called NPUs or NPs) in your FortiGate. Most FortiGates contain one or more of the following NPUs:

• NP7 or NP7Lite

• NP6, NP6XLite or NP6Lite

You can find your FortiGate unit in the Hardware Acceleration Guide to determine its NPU configuration.

Normally you can use the diagnose debug flow command to view sessions. However, this command only displays sessions processed by the CPU (also called software sessions). To view sessions offloaded to NPUs (also called hardware sessions), you must use the commands and techniques described in this section.

Alternatively, you can disable NPU offloading and then use the diagnose debug flow command. You should only disable the NPU functionality for troubleshooting purposes.

Diagnosing NP7 or NP7Lite sessions

Use the following command to list the NP7 processors in your FortiGate unit and the interfaces that they connect to:

diagnose npu np7 port-list

Use the following command to list the NP7Lite processors in your FortiGate unit and the interfaces that they connect to:

diagnose npu np7lite port-list

To use the NP7 packet sniffer

On FortiGates with NP7 and NP7Lite processors, you can use the following command to view sessions:

diagnose npu sniffer {start | stop | filter}

Here is a basic example to sniff offloaded TCP packets received by the port23 interface. In the following example:

• The first line clears the filter.

• The second line sets the sniffer to look for packets on port23.

• The third line looks for packets exiting the interface.

• The fourth line looks for TCP packets.

• The fifth line starts the sniffer.

• The sixth line starts displaying the packets on the CLI.

  diagnose npu sniffer filter
  diagnose npu sniffer filter intf port23
  diagnose npu sniffer filter dir 1
  diagnose npu sniffer filter protocol 6
  diagnose npu sniffer start
  diagnose sniffer packet npudbg

For more information, see NP7 packet sniffer or Tracing packet flow on FortiGates with NP7 processors.

See this Fortinet Community article for an NP7 packet sniffer example: Troubleshooting Tip: Collecting NP7 packet capture without disabling offload.

Diagnosing NP6, NP6XLite or NP6Lite sessions

Use either of the following commands to list the NP6 processors in your FortiGate unit and the interfaces that they connect to:

get hardware npu np6 port-list

diagnose npu np6 port-list

Use the following command to list the NP6XLite processors in your FortiGate unit:

get hardware npu np6xlite port-list

Use either of the following commands to list the NP6Lite processors in your FortiGate unit:

get hardware npu np6lite port-list

diagnose npu np6lite port-list

The output of all of these commands includes the device ID or dev_id of each NP processor. Only FortiGates with NP6 processors have multiple dev_ids. On FortiGates with one NP6, NP6Xlite, or NP6Lite processor, dev_id is always 0.

To diagnose NP6, NP6XLite, or NP6 sessions, disable NPU offloading.

diagnose npu <processor> fastpath disable <dev_id>

Then use the diagnose debug flow command to view sessions.