Chapter 18 Troubleshooting : ­Troubleshooting tools : FortiOS diagnostics : FA2 and NP2 based interfaces
  
FA2 and NP2 based interfaces
Many Fortinet products contain network processors. Some of these products contain FortiAccel (FA2) network processors while others contain NP2 network processors. Network processor features, and therefore offloading requirements, vary by network processor model.
When using the FA2- and NP2-based interfaces, only the initial session setup will be seen through the diag debug flow command. If the session is correctly programmed into the ASIC (fastpath), the debug flow command will no longer see the packets arriving at the CPU. If the NP2 functionality is disabled, the CPU will see all the packets, however, this should only be used for troubleshooting purposes.
First, obtain the NP2 and port numbers with the following command:
diag npu np2 list
Sample output:
ID PORTS
-- -----
0 port1
0 port2
0 port3
0 port4
ID PORTS
-- -----
1 port5
1 port6
1 port7
1 port8
ID PORTS
-- -----
2 port9
2 port10
2 port11
2 port12
ID PORTS
-- -----
3 port13
3 port14
3 port15
3 port16
 
Run the following commands:
diag npu np2 fastpaf th disable <dev_id>
(where dev_id is the NP2 number)
Then, run this command:
diag npu np2 fastpath-sniffer enable port1
Sample output:
NP2 Fast Path Sniffer on port1 enabled
This will cause all traffic on port1 of NP2 to be sent to the CPU meaning a standard sniffer trace can be taken and other diag commands should work if it was a standard CPU driven port.
These commands are only for the newer NP2 interfaces. FA2 interfaces are more limited as the sniffer will only capture the initial packets before the session is offloaded into HW (FA2). The same holds true for the diag debug flow command as only the session setup will be shown, however, this is usually enough for this command to be useful.