Helpful ReplyHot!Port mirroring

Author
acsuser
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/24 06:41:28
  • Status: offline
2015/03/24 08:40:47 (permalink)
0

Port mirroring

Hi I am looking for a Fortigate with port mirroring functionality and i cant find any information about what models can do this, can the 60d do this or do i need to look for a bigger appliance? 
 
Thanks
#1
Adrian Buckley_FTNT
Gold Member
  • Total Posts : 261
  • Scores: 6
  • Reward points: 0
  • Joined: 2008/01/09 14:14:22
  • Status: offline
Re: Port mirroring 2015/03/24 10:38:30 (permalink)
0
That feature requires a Hardware switch and 5.2+ firmware. So any model that has a hardware switch (not a software based switch) can do port span.
I think there was some 5.0.x experimentation with allowing the feature on software switches.  However, when you think about that it's pretty easy to see why it could fail fairly spectacularly when under load.
 
Some of the lower end models (like the 60D) have a built in switch, but the internal controls are done via software.  Larger devices (like the 100D) have packet control of the switch handled through hardware.  I'm not sure about devices in between like the 90D but I'm fairly sure those are software.  So you probably need a 100D or larger device, with a built in switch.
 
 
#2
Shawn W
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/10/15 09:56:31
  • Status: offline
Re: Port mirroring 2015/03/24 11:08:59 (permalink)
0
From the FortiOS CLI reference, under system > switch-interface:
config system switch-interface
edit <group_name>
set member <iflist>
set span {enable | disable}
set span-dest-port <portnum>
set span-direction {rx | tx | both}
set span-source-port <portlist>
set type {hub | switch | hardware-switch}
set vdom <vdom_name>
end
#3
acsuser
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/24 06:41:28
  • Status: offline
Re: Port mirroring 2015/03/24 13:01:34 (permalink)
0
Thanks Shawn, what appliance range is this for?
 
Shawn W
From the FortiOS CLI reference, under system > switch-interface:
config system switch-interface
edit <group_name>
set member <iflist>
set span {enable | disable}
set span-dest-port <portnum>
set span-direction {rx | tx | both}
set span-source-port <portlist>
set type {hub | switch | hardware-switch}
set vdom <vdom_name>
end




#4
Shawn W
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/10/15 09:56:31
  • Status: offline
Re: Port mirroring 2015/03/24 13:10:57 (permalink)
0
I am not certain.  I found this in the FortiOS CLI Reference for FortiOS 5.0
#5
Adrian Buckley_FTNT
Gold Member
  • Total Posts : 261
  • Scores: 6
  • Reward points: 0
  • Joined: 2008/01/09 14:14:22
  • Status: offline
Re: Port mirroring 2015/03/24 13:53:49 (permalink)
0
As i mentioned 5.0 allowed this for software switches as well.  That's a bad idea since high CPU levels cause dropped packets. 

5.2+ won't allow the feature to be used on a device with a software switch, so if you don't get the right device you might wind up not being able to upgrade.
#6
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Port mirroring 2015/03/24 20:58:46 (permalink)
0
Take Adrian advice.
 
The cmds do exist even on the lower end models which is misleading btw ( 5.2.x ), and it will not allow you to select any ports after the enabling  span.
 
Also with the  span activity it's against "real ports" vrs  virtual interfaces. So keep this in mind if you have  vlan-interface, tunnels,etc....
 
As far as CPU impact even the larger chassis has shown a slight uptick in CPU usage from my experience.
 
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#7
acsuser
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/24 06:41:28
  • Status: offline
Re: Port mirroring 2015/03/25 13:04:07 (permalink)
0
OK then i think a separate aggregation tap is required!
 
emnoc
Take Adrian advice.
 
The cmds do exist even on the lower end models which is misleading btw ( 5.2.x ), and it will not allow you to select any ports after the enabling  span.
 
Also with the  span activity it's against "real ports" vrs  virtual interfaces. So keep this in mind if you have  vlan-interface, tunnels,etc....
 
As far as CPU impact even the larger chassis has shown a slight uptick in CPU usage from my experience.
 
 
 




#8
Lionel.Orishane
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/27 06:53:29
  • Status: offline
Re: Port mirroring 2016/04/17 06:31:21 (permalink)
0
Hi Experts,
 
I'm considering a scenario to SPAN traffic on the FortiGate, then have it sent to an attached pcap analyzer application (like Deep Discovery Inspector appliance) to analyze the packet for deeper visibility.
 
Kindly advise with your expertise. 
 
Regards,
Lionel
#9
Big Abe
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/26 12:39:44
  • Status: offline
Re: Port mirroring 2016/10/19 13:38:56 (permalink)
0
Lionel - did you find a resolution - I'm trying to do exactly that. (FGT 800C -> Trend DDI) 
 
 
Cheers. 
 

FCNSP
-------------------------------------
"They have us surrounded again,
those poor bastards."
-Unnamed Medic
#10
ergotherego
Gold Member
  • Total Posts : 129
  • Scores: 14
  • Reward points: 0
  • Status: offline
Re: Port mirroring 2017/05/23 15:18:54 (permalink)
0
Is there a document that lists all models that have hardware switches?
 
Does the ISF (inter-switch fabric) count as a hardware switch?
#11
neonbit
Expert Member
  • Total Posts : 515
  • Scores: 67
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: Port mirroring 2017/05/24 03:17:24 (permalink) ☄ Helpfulby ergotherego 2017/05/24 11:01:30
0
The Fotinet Feature/Platform Matrix shows which devices have hardware switches:
 
http://docs.fortinet.com/d/fortigate-fortios-5.6-feature-platform-matrix
 
#12
adogra
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/10 07:32:00
  • Status: offline
Re: Port mirroring 2019/01/04 01:57:12 (permalink)
0
Hi Guys.
 
I'm using fortigate 200D firmware 5.4.1 in HA mode. Need to attach Darktrace appliance for network analysis and deep inspection. Could anyone please advice how if I can use fortigate 200 D and span/port mirror to another interface.
 
2) can I use multiple existing ports like  WAN1, other ports  in firewall to mirror onto 1 interface in FW. That I can use for deep inspection for appliance?
 
3) If yes to above query how?
 
 I found below cmds for span 
WF30D (internal) # set type
switch Switch.
hub Hub.
 
I still tried to configure SPAN on it which it allowed me to do, but I can't get it to work:
 
config system switch-interface
edit "internal"
set member "lan1" "lan3" "lan4"   ( does it mean 3 ports are active in internal switch or are they firewall actual interface?)
set span enable
set span-dest-port "lan1"
set span-source-port "lan4"
next
 
 
 
Thanks
A
#13
justinhatem
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/31 06:59:53
  • Status: offline
Re: Port mirroring 2019/07/31 07:19:12 (permalink)
0
Working on similar for a 201e firewall. 
 
I don't see the options in the GUI, however the CLI seems to support the commands.  However, it won't let me use wan1 as a member, or a span source.  Also, my switch ports (13 and 14) are an aggregate, so I am unable to select those either.  Any ideas? 
 
Trying to do something like this: 
wf-fw01 (mirror) # show
config system switch-interface
    edit "mirror"
        set vdom "root"
        set span enable
    next
end
 
wf-fw01 (mirror) # set member port8
 
wf-fw01 (mirror) # set member wan1
entry not found in datasource
 
value parse error before 'wan1'
Command fail. Return code -3
 
wf-fw01 (mirror) #  
#14
Jump to:
© 2019 APG vNext Commercial Version 5.5