Skip to main content
Sego
Sego
Explorer
August 3, 2023
Solved

Mirror traffic of Ipsec interface

  • August 3, 2023
  • 1 reply
  • 3371 views

Hi all,

In scenario with two location connected via ipsec tunnel, remote office is accessing internet through wan port in main office, is it possible to capture and send traffic, remote office - internet and vice versa traffic,  to analysis sensor?

Something like port mirroring in L2 world.

Thank you,

Drazen

Best answer by Toshi_Esumi

That wouldn't be so easy in the way you want to duplicate the specific traffic and send it to a physical port. Because once the traffic hit the FSW you have it's encapsulated&encrypted. So it has to be duplicated before hitting/after coming out of the IPSec interface inside of the FGT.
One thing I can think of as possibility is setting up sflow on the IPsec interface to the IP for the monitoring device. The IPsec interface itself seem to accepts the sflow config so it should work. But don't know if it's before or after the encapsulation/encryption. I almost never used sflow before.

Also I'm almost sure you have to disable ASIC offloading on the IPSec policies.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-sFlow/ta-p/196930

 

Toshi

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
August 3, 2023

Not exactly sure about your analogy of mirroring. But if you want to capture traffic from/to the remote office on the local side, you can sniff packets on the IPsec interface like...

  diag sniffer packet <Phase1_Interface_Name> '<whatever_filters_you_want>' 6 0 l

You likely need to disable ASIC offloading on those in/out IPsec policies though, with like...

  set auto-asic-offload disable

Toshi

Sego
SegoAuthor
Explorer
August 3, 2023

Thx Toshi,

In main office i  have span port configured on fortiswich, uplink from switch to fortigate is mirrorred to another port where analysis software is running. 

I would like to send traffic originating from remote office also one which is destinated to remote office to that analyis software ( vm in separate vlan in main office).

Hope i explained it better now.

Ty

 

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
August 3, 2023

That wouldn't be so easy in the way you want to duplicate the specific traffic and send it to a physical port. Because once the traffic hit the FSW you have it's encapsulated&encrypted. So it has to be duplicated before hitting/after coming out of the IPSec interface inside of the FGT.
One thing I can think of as possibility is setting up sflow on the IPsec interface to the IP for the monitoring device. The IPsec interface itself seem to accepts the sflow config so it should work. But don't know if it's before or after the encapsulation/encryption. I almost never used sflow before.

Also I'm almost sure you have to disable ASIC offloading on the IPSec policies.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-sFlow/ta-p/196930

 

Toshi

    Terms & ConditionsAccessibility statement