Skip to main content
AbdullahMohamed
AbdullahMohamed
New Member
August 14, 2021
Question

SPAN

  • August 14, 2021
  • 1 reply
  • 4350 views
Hello dears I searched how i can mirror the decrypted traffic by theses commands Config firewall-policy edit x Set ssl-mirror enable Set ssl-mirror-intf port6 Now my question is : is port6 should be a layer2 or layer3 interface ? Or it wont make any difference My second question is : can i mirror all traffic not only decrypted ? Thank you

    1 reply

    emnoc
    emnoc
    New Member
    August 15, 2021

    port6 is a layer2 port

     

    And no on the last item, this mirror ssl-inspected packets after decoding.

     

    I believe ( but never have done this ) , you could enable a span session if you have a virt-switch AND mirror-ssl-inspection to the same destination port. So if you need all traffic and decyrpted, try that along with your mirror. 

     

    e.g 

     

      config sys virtual-switch

        edit lan

               set span enable

               set span-dest=port port6

               set span-direction both

               set span-source-port port1

       end

     

    The smaller FGT might not have this feature and CPU%util% could become extremely high but investigate and see what you have and can come up with.

     

    I would do a ran span fwiw at a true l2/l3 switch and let the firewall be a "firewall", but that is my personal preference

     

    Ken Felix

    AbdullahMohamed
    AbdullahMohamedAuthor
    New Member
    August 15, 2021
    So that port6 configuration will be Lan port only ? Or i have to create an interface vlan and add port6 to it ? Or creat la a virtual switch then add port6 to it ?
    emnoc
    emnoc
    New Member
    August 15, 2021

    Do nothing but leave the port as a default port , no vlan, not part of a virt switch or anything and it would be a SPAN port to deliver the data to your tool or inspection device.

     

    Ken Felix

    Terms & ConditionsAccessibility statement