Skip to main content
sonydarrel
sonydarrel
New Member
March 7, 2018
Solved

Fortigate 1500D

  • March 7, 2018
  • 3 replies
  • 6796 views

hello Dears,

we want to do fortigate POC for one of our customer, we have configured the SPAN session on the cisco switch by a source mentioning all the vlans and the destination port is the fortigate port17,

 

Now i dont see any traffic coming to the firewall, what configuration has to be done on the fortigate end to accept packets, in Paloalto firewall i have a interface type as a TAP which i select and it accepts traffic but for fortigate firewall what has to be done.

 

thanks

    Best answer by ericli_FTNT

    Hi all,

    OP didn't mentioned the version of FortiOS, so I make an example of 5.4.5:

     

    1. enable ips sniffer at interface: "set ips-sniffer-mode enable "

    2. config firewall sniffer     edit 1         set logtraffic all         set ipv6 enable         set non-ip enable         set interface "port10"     next end

    In this section, you could modify the parameters of sniffer, like vlan tag, host, non-ip or not...

    3.  diag sniffer packet port10 '' 4

     

    3 replies

    emnoc
    emnoc
    New Member
    March 7, 2018

    Your  doing  inspection ( IDS ) so you need one-arm  configurations  a inspection policy similar to this

     

    config firewall interface-policy   

    edit 0   

    set interface port17           

    set srcaddr “all”           

    set dstaddr “all”           

    set service “ANY”           

    set comment " SPAN PORT TO  CISCO NXOS "           

    set logtraffic all           

    set ips-sensor-status enable           

    set ips-sensor “pass_log_all_sig”     

    next

    end

     

    In your IPS sensor you will craft the  IPS signatures that you require.

     

    romanr
    romanr
    New Member
    March 7, 2018

    Hey,

     

    the feature to use would be the "one arm sniffer"...

     

    https://video.fortinet.com/video/124/one-arm-sniffer

     

    Br,

    Roman

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 7, 2018

    Wouldn't RPF make the FGT drop all 'unknown sources' traffic?

    The cure would be a default route pointing to port17.

    emnoc
    emnoc
    New Member
    March 7, 2018

    If it one arm, it's inspecting as a IDS. The OP would need confirm "TAP/SPAN" and IDS. In this case the appliance "does not route data/traffic" . So a default route is not needed.

     

    He can tighten the  fwplolicy by selection sources also and craft unique sensors per-fwpolicy.

     

    Ken

     

    ericli_FTNT
    Staff
    ericli_FTNTAnswer
    Staff
    March 7, 2018

    Hi all,

    OP didn't mentioned the version of FortiOS, so I make an example of 5.4.5:

     

    1. enable ips sniffer at interface: "set ips-sniffer-mode enable "

    2. config firewall sniffer     edit 1         set logtraffic all         set ipv6 enable         set non-ip enable         set interface "port10"     next end

    In this section, you could modify the parameters of sniffer, like vlan tag, host, non-ip or not...

    3.  diag sniffer packet port10 '' 4

     

    Terms & ConditionsAccessibility statement