FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Description
This article explains how to mirror and capture traffic on a FortiController using flow rules.

Scope
FortiController v5.2.

Solution
The flow rule feature allows us to mirror ingress and egress traffic flowing through the FortiController.  Mirrored traffic is copied to a mirror interface.

Two interfaces are available:
  • fabric-mgmt-1
  • fabric-mgmt-2

The following configuration will mirror SSH packets to fabric-mgmt-1 (note that if no “set forward-slot” statement is configured, the traffic will be directed to the ELBC master blade).

config switch fabric-channel flow-rule
    edit 1
        set status enable
        set src-interface "LAG-IN" 
                   set vlan 0
        set ether-type ipv4
        set protocol tcp
        set dst-l4port 22-22
        set action forward mirror-ingress
        set mirror-interface "fabric-mgmt-1"
    next
end

Since flow rules are stateless and apply to only one direction, a second flow rule for the reply direction must be configured as well.

config switch fabric-channel flow-rule
    edit 2
        set status enable
        set src-interface "LAG-OUT"
                    set vlan 0
        set ether-type ipv4
        set protocol tcp
        set src-l4port 22-22
        set action forward mirror-ingress
        set mirror-interface "fabric-mgmt-1"
    next
end

Start a sniffer on fabric-mgmt-1 interface:

FT-B-1 # diag sniffer packet fabric-mgmt-1 '' 4 0
interfaces=[fabric-mgmt-1]
filters=[]
pcap_lookupnet: fabric-mgmt-1: no IPv4 address assigned
3.541567 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: syn 4062706488
3.542484 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: syn 1759687324 ack 4062706489
3.611420 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: ack 1759687325
3.612565 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: psh 4062706489 ack 1759687325
3.612818 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: ack 4062706530
3.625830 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: psh 1759687325 ack 4062706530
3.884041 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: psh 4062706489 ack 1759687325
3.884255 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: ack 4062706530
3.999089 802.1Q vlan#118 P0
10.118.0.100.40446 -> 10.5.31.1.22: ack 1759687364
3.999261 802.1Q vlan#2 P0
10.5.31.1.22 -> 10.5.19.202.10239: psh 1759687364 ack 4062706530

In the above example, VLAN interfaces are used, the VLAN tag can be seen on client side (118) and server side (2).

Related Articles

Technical Tip: Forcing traffic to be handled by a specific worker on a FortiController

Contributors