Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Staff
Staff

Created on ‎10-19-2017 08:31 AM

Technical Note: How to mirror and capture traffic flowing through a FortiController in SLBC

Description
This article explains how to mirror and capture traffic on a FortiController using flow rules.

Scope
FortiController v5.2.

Solution
The flow rule feature allows us to mirror ingress and egress traffic flowing through the FortiController.  Mirrored traffic is copied to a mirror interface.

Two interfaces are available:
  • fabric-mgmt-1
  • fabric-mgmt-2

The following configuration will mirror SSH packets to fabric-mgmt-1 (note that if no “set forward-slot” statement is configured, the traffic will be directed to the ELBC master blade).

config switch fabric-channel flow-rule
    edit 1
        set status enable
        set src-interface "LAG-IN" 
                   set vlan 0
        set ether-type ipv4
        set protocol tcp
        set dst-l4port 22-22
        set action forward mirror-ingress
        set mirror-interface "fabric-mgmt-1"
    next
end

Since flow rules are stateless and apply to only one direction, a second flow rule for the reply direction must be configured as well.

config switch fabric-channel flow-rule
    edit 2
        set status enable
        set src-interface "LAG-OUT"
                    set vlan 0
        set ether-type ipv4
        set protocol tcp
        set src-l4port 22-22
        set action forward mirror-ingress
        set mirror-interface "fabric-mgmt-1"
    next
end

Start a sniffer on fabric-mgmt-1 interface:

FT-B-1 # diag sniffer packet fabric-mgmt-1 '' 4 0
interfaces=[fabric-mgmt-1]
filters=[]
pcap_lookupnet: fabric-mgmt-1: no IPv4 address assigned
3.541567 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: syn 4062706488
3.542484 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: syn 1759687324 ack 4062706489
3.611420 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: ack 1759687325
3.612565 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: psh 4062706489 ack 1759687325
3.612818 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: ack 4062706530
3.625830 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: psh 1759687325 ack 4062706530
3.884041 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: psh 4062706489 ack 1759687325
3.884255 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: ack 4062706530
3.999089 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: ack 1759687364
3.999261 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: psh 1759687364 ack 4062706530

In the above example, VLAN interfaces are used, the VLAN tag can be seen on client side (118) and server side (2).

Related Articles

Technical Tip: Forcing traffic to be handled by a specific worker on a FortiController

Labels:
835
0 Kudos
Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media

Security Research

Company

News & Articles

Contact Us

Copyright 2022 Fortinet, Inc. All Rights Reserved.