Fortinet: Is there any equivalent of the ASA's packet-tracer command?

On the Fortigate you actually don't have command with capability to generate a dummy packet like on your cisco ASA. But the closest utility will be "diagnose debug flow" commands. The difference is that, with fortigate you need real traffic traversing through the firewall.

Below are the complete commands that you need to execute:

diagnose debug reset
diagnose debug flow filter addr <source OR destination IP address>
diagnose debug flow show console enable
diagnose debug flow show function enable
diagnose debug flow trace start <number of entries you want to view. e.g. 100>
diagnose debug enable

I do beleive the closest thing you will find to that on Fortinet devices is the sniffer utility (can be accessed with: diagnose sniffer ?) I forget the exact options after this point but it should be what you're looking for.


It is name "diagnose debug flow trace" on fortigate

https://blog.webernetz.net/2015/12/21/cli-commands-for-troubleshooting-fortigate-firewalls/


Before implementing any rule/policy in Cisco ASA we have an option to check weather similar rule is already present in firewall rule base by using packet tracer command or during troubleshooting we can check by using packet tracer command if the connection is allowed or deny without initiating any actual traffic, this is 1 of the good feature I like of CISCO ASA but the same is not available in Fortigate firewalls.

To fulfill similar kind of requirement in Fortigate firewall best we can do by diagnose debug commands which will required someone to initiate traffic.