NSE4 Question #354: Real Exam Question with Answer & Explanation

Question

An administrator is using the FortiGate built-in sniffer to capture HTTP traffic between a client and a server, however, the sniffer output shows only the packets related with TCP session setups and disconnections. Why?

Options

• AThe administrator is running the sniffer on the internal interface only.
• BThe filter used in the sniffer matches the traffic only in one direction.
• CThe FortiGate is doing content inspection.
• DTCP traffic is being offloaded to an NP6.

Explanation

The FortiGate sniffer only showing TCP session setup and disconnection packets, but no data, indicates that the data plane traffic is being offloaded to an NP6 processor.

Common mistakes.

• A. Running the sniffer on only the internal interface would simply limit the capture to that interface but would still show data packets if they were processed by the CPU and not offloaded.
• B. Even if a sniffer filter only captured traffic in one direction, it would still show data packets for that direction if they were processed by the CPU, not just session setup/teardown.
• C. Content inspection (like proxy-based UTM) is performed by the FortiGate's CPU, which would actually make the traffic more visible to a software sniffer, not less.

Concept tested. FortiGate NP6 offloading and sniffer behavior

Reference. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-FortiGate-NPx-offloading/ta-p/192666

No community discussion yet for this question.