Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
esalija
Staff
Staff

Created on ‎09-17-2025 03:09 AM Edited on ‎09-17-2025 03:09 AM By Moderator

Article Id 411194

Technical Tip: Change the destination MAC address for Mirror SSL traffic

Description This article describes the process of configuring SSL traffic mirroring with a focus on modifying the Destination MAC address at the policy level, allowing administrators to accurately duplicate SSL traffic for analysis or inspection. 
Scope FortiGate.
Solution
  • This setup involves creating a security or network policy where the mirror action is defined, and adjusting the Destination MAC to ensure that mirrored packets are correctly redirected to the monitoring device without disrupting the original traffic flow.
  • Proper configuration ensures seamless SSL traffic duplication, facilitating effective monitoring while maintaining network security and performance.
  • To change the Destination MAC Address for mirrored SSL traffic, you need to configure your network device, such as a switch or firewall, to modify the MAC address in the mirrored traffic.
  • This is typically done through port mirroring or SPAN (Switched Port Analyzer) configurations combined with a feature like MAC address rewriting or a packet capture tool that supports packet modification.

 

Topology.

 Windows 1  (10.113.0.2) ---- Port2 --- FortiGate -- Port1 ---- Internet.

                                                                       |

                                                              Port3 (10.7.0.2).

                                                                       | 

                                                                       |

                                                      Windows Mirror User.

 

  • ARP Table.

 

get system arp
Address Age(min) Hardware Addr Interface
10.7.0.2 0 00:62:65:6e:12:01 port3
10.113.0.2 0 00:62:65:6e:2e:01 port2
10.191.47.254 0 00:09:0f:09:64:1b port10
10.191.21.106 1 00:73:74:75:2f:01 port1
10.191.31.254 0 00:09:0f:09:64:1b port1

 

  • Port 3 is configured to mirror all traffic originating from Port 2, meaning that any data sent or received on Port 2 will also be duplicated and sent to Port 3 for monitoring or analysis purposes.
  •  A PCAP capturing traffic on Port 3 showing the destination MAC address 'ff:ff:ff:ff:ff:ff' indicates broadcast traffic, which is sent to all devices within the local network segment.
  • This is common for network discovery protocols like ARP requests or DHCP broadcasts, where a device seeks to identify other devices or obtain configuration information.
  • The presence of such broadcast frames on Port 3 suggests that either a device is actively searching for network resources or an essential network service is broadcasting information, and network administrators should verify if this broadcast traffic is expected or potentially indicative of network issues such as ARP storms or misconfigurations.

 

Capture1.PNG

 

  •   Changing the Mirror DST MAC address to '00:62:65:6e:12:01'.

 

config firewall decrypted-traffic-mirr
    edit "SSL+to_port3"
        set dstmac 00:62:65:6e:12:01
        set traffic-type ssl
        set traffic-source client
        set interface "port3"
    next
end

 

  • A PCAP capture on Port 3, indicating a destination MAC address of '00:62:65:6e:12:01', suggests that network traffic destined for this MAC address is passing through or being observed on that port.

 

Capture2.PNG
59
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.