Technical Note: How to mirror and capture traffic flowing through a FortiController in SLBC
Description
Scope
Solution
This article explains how to mirror and capture traffic on a FortiController using flow rules.
Scope
FortiController v5.2.
Solution
The flow rule feature allows us to mirror ingress and egress traffic flowing through the FortiController. Mirrored traffic is copied to a mirror interface.
Two interfaces are available:
The following configuration will mirror SSH packets to fabric-mgmt-1 (note that if no “set forward-slot” statement is configured, the traffic will be directed to the ELBC master blade).
Since flow rules are stateless and apply to only one direction, a second flow rule for the reply direction must be configured as well.
Start a sniffer on fabric-mgmt-1 interface:
In the above example, VLAN interfaces are used, the VLAN tag can be seen on client side (118) and server side (2).
Two interfaces are available:
- fabric-mgmt-1
- fabric-mgmt-2
The following configuration will mirror SSH packets to fabric-mgmt-1 (note that if no “set forward-slot” statement is configured, the traffic will be directed to the ELBC master blade).
config switch fabric-channel flow-rule
edit 1
set status enable
set src-interface "LAG-IN"
set vlan 0
set ether-type ipv4
set protocol tcp
set dst-l4port 22-22
set action forward mirror-ingress
set mirror-interface "fabric-mgmt-1"
next
end
Since flow rules are stateless and apply to only one direction, a second flow rule for the reply direction must be configured as well.
config switch fabric-channel flow-rule
edit 2
set status enable
set src-interface "LAG-OUT"
set vlan 0
set ether-type ipv4
set protocol tcp
set src-l4port 22-22
set action forward mirror-ingress
set mirror-interface "fabric-mgmt-1"
next
end
Start a sniffer on fabric-mgmt-1 interface:
FT-B-1 # diag sniffer packet fabric-mgmt-1 '' 4 0
interfaces=[fabric-mgmt-1]
filters=[]
pcap_lookupnet: fabric-mgmt-1: no IPv4 address assigned
3.541567 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: syn 4062706488
3.542484 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: syn 1759687324 ack 4062706489
3.611420 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: ack 1759687325
3.612565 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: psh 4062706489 ack 1759687325
3.612818 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: ack 4062706530
3.625830 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: psh 1759687325 ack 4062706530
3.884041 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: psh 4062706489 ack 1759687325
3.884255 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: ack 4062706530
3.999089 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: ack 1759687364
3.999261 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: psh 1759687364 ack 4062706530
In the above example, VLAN interfaces are used, the VLAN tag can be seen on client side (118) and server side (2).
Related Articles
Technical Tip: Forcing traffic to be handled by a specific worker on a FortiController