This article describes why it is necessary to disable ASIC on firewall policy.
Scope
All FortiGate which has ASIC.
Solution
Before attempting to capture traffic on ForitGate ensure that ASIC offloading is disabled on the respective firewall policy.
This is because sessions offloaded by Network Processors (NP6, NP6Lite) will not be captured by the sniffer.
Command to disable ASIC in policy:
config firewall policy edit <policy_id> set auto-asic-offload disable end
Note:
Create a more specific firewall policy and then disable ASIC offloading just there, to prevent CPU overutilization.
Remember to revert the changes once the troubleshooting is done.