One-Arm Sniffer port and logging to Forticloud

Forum|Forum|7 years ago
August 2, 2018
1 reply
8317 views

Hi!

My scheme

HP 2530-24G switch with configured mirror port. Fortigate 100D connected to this port.

On the Fortigate I configured lan port as One-Arm Sniffer and check

Include Non-IP Packets

and Log Allowed Traffic All Sessions

no Secuity profiles enabled

In this situation there are no logs in the Sniffer Traffic section of the Log&Report

If I enable some Security Profile I can see some logs then. But I want log all sessions. Not filter it by applications or something else.

Is it possible to achieve?

Thanks

Toshi_Esumi

SuperUser

I haven't done but this cookbook says how to do it with FortiAnalyzer including traffic log.

https://docs.fortinet.com/uploaded/files/1874/analyzing-your-network-traffic-using-a-one-armed-sniffer.pdf

If it's doable with FortiAnalyzer, I would assume the same goes for FortiCloud. Based on CLI "config log fortiguard" for FortiCloud, it seems to have same/similar log setting capability with "config log fortianalyzer".

darwin_FTNT

Staff

In one-arm sniffer mode, the traffic log is generated by ipsengine daemon (which is a wrapper for libips.so). So have to enable flow-based utm that will startup the process ipsengine. One-arm sniffer mode is mainly for ips originally but generating traffic log was added later on. Kernel done very limited processing on packets when in sniffer mode. Also in sniffer mode, packets can't be blocked but only logged as this is a read-only network operation.

In normal firewall policy, the sessions are handled by kernel and the traffic log is sent by kernel to miglogd. You can verify this by doing 'diag sys session list' in one-arm sniffer mode and the kernel sessions are empty. Traffic logs could be generated by kernel and also proxy daemon if the sessions are managed by them.

Currently, the gui doesn't fully support all the statistics gathered in sniffer mode but should be gradually implemented overtime.

fortigateAuthor

New Member

darwin wrote:
In one-arm sniffer mode, the traffic log is generated by ipsengine daemon (which is a wrapper for libips.so). So have to enable flow-based utm that will startup the process ipsengine. One-arm sniffer mode is mainly for ips originally but generating traffic log was added later on. Kernel done very limited processing on packets when in sniffer mode. Also in sniffer mode, packets can't be blocked but only logged as this is a read-only network operation.

its completely ok, I just need to log traffic from mirror port, nothing need to be blocked

so what is your advice: turn on ipflow generator and use Fortigate as flow collector? if yes, the how to configure it on the device?

As far as I understand, its not possible to log clear sniffer traffic (means just source-destination ip sessions)?

thanks

darwin wrote:
In normal firewall policy, the sessions are handled by kernel and the traffic log is sent by kernel to miglogd. You can verify this by doing 'diag sys session list' in one-arm sniffer mode and the kernel sessions are empty. Traffic logs could be generated by kernel and also proxy daemon if the sessions are managed by them.

looks like its not for me, cause I'm not using Fortigate as firewall device, just monitoring (for now)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded