Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sonydarrel
New Contributor

Fortigate 1500D

hello Dears,

we want to do fortigate POC for one of our customer, we have configured the SPAN session on the cisco switch by a source mentioning all the vlans and the destination port is the fortigate port17,

 

Now i dont see any traffic coming to the firewall, what configuration has to be done on the fortigate end to accept packets, in Paloalto firewall i have a interface type as a TAP which i select and it accepts traffic but for fortigate firewall what has to be done.

 

thanks

4 Solutions
emnoc
Esteemed Contributor III

Your  doing  inspection ( IDS ) so you need one-arm  configurations  a inspection policy similar to this

 

config firewall interface-policy   

edit 0   

set interface port17           

set srcaddr “all”           

set dstaddr “all”           

set service “ANY”           

set comment " SPAN PORT TO  CISCO NXOS "           

set logtraffic all           

set ips-sensor-status enable           

set ips-sensor “pass_log_all_sig”     

next

end

 

In your IPS sensor you will craft the  IPS signatures that you require.

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
romanr
Valued Contributor

Hey,

 

the feature to use would be the "one arm sniffer"...

 

https://video.fortinet.com/video/124/one-arm-sniffer

 

Br,

Roman

View solution in original post

ede_pfau
Esteemed Contributor III

Wouldn't RPF make the FGT drop all 'unknown sources' traffic?

The cure would be a default route pointing to port17.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
ericli_FTNT
Staff
Staff

Hi all,

OP didn't mentioned the version of FortiOS, so I make an example of 5.4.5:

 

1. enable ips sniffer at interface: "set ips-sniffer-mode enable "

2. config firewall sniffer     edit 1         set logtraffic all         set ipv6 enable         set non-ip enable         set interface "port10"     next end

In this section, you could modify the parameters of sniffer, like vlan tag, host, non-ip or not...

3.  diag sniffer packet port10 '' 4

 

View solution in original post

5 REPLIES 5
emnoc
Esteemed Contributor III

Your  doing  inspection ( IDS ) so you need one-arm  configurations  a inspection policy similar to this

 

config firewall interface-policy   

edit 0   

set interface port17           

set srcaddr “all”           

set dstaddr “all”           

set service “ANY”           

set comment " SPAN PORT TO  CISCO NXOS "           

set logtraffic all           

set ips-sensor-status enable           

set ips-sensor “pass_log_all_sig”     

next

end

 

In your IPS sensor you will craft the  IPS signatures that you require.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
romanr
Valued Contributor

Hey,

 

the feature to use would be the "one arm sniffer"...

 

https://video.fortinet.com/video/124/one-arm-sniffer

 

Br,

Roman

ede_pfau
Esteemed Contributor III

Wouldn't RPF make the FGT drop all 'unknown sources' traffic?

The cure would be a default route pointing to port17.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

If it one arm, it's inspecting as a IDS. The OP would need confirm "TAP/SPAN" and IDS. In this case the appliance "does not route data/traffic" . So a default route is not needed.

 

He can tighten the  fwplolicy by selection sources also and craft unique sensors per-fwpolicy.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ericli_FTNT
Staff
Staff

Hi all,

OP didn't mentioned the version of FortiOS, so I make an example of 5.4.5:

 

1. enable ips sniffer at interface: "set ips-sniffer-mode enable "

2. config firewall sniffer     edit 1         set logtraffic all         set ipv6 enable         set non-ip enable         set interface "port10"     next end

In this section, you could modify the parameters of sniffer, like vlan tag, host, non-ip or not...

3.  diag sniffer packet port10 '' 4

 

Labels
Top Kudoed Authors