Description
This article describes One-Armed IDS/IPS configuration in FortiOS 4.0.
Solution
One-Armed IDS/IPS could only be configured through the command line in older FortiOS versions.
More recently, the option is also present in the GUI, under the interface in Network -> Interface > (select a physical interface) > 'Addressing mode': One-Arm Sniffer
The FortiGate unit could be in NAT or Transparent mode.
NOTE: This mode only generates logs/reports on specific traffic according to the applied profiles; it does not deny or influence traffic.
Once the interface mode is changed to One-Arm sniffer, several filters become available on the interface itself, but one can only use and edit the corresponding individual “sniffer-profile” of each of the security profiles applied.
Spam filter, DLP, and IPS DoS in this setup can only be configured through CLI:
To configure One-Armed IDS/IPS in the CLI enter the following commands on the desired interface:
Note on resource usage:
Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP, present.
# config system interfaceIf the option is not available, the interface is in use (by another policy, or referenced elsewhere in the configuration).
edit <port_name>
set ips-sniffer-mode enable
end
Note on resource usage:
Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP, present.
The one-arm sniffer may cause higher CPU usage and perform at a lower level than traditional inline scanning, which uses NTurbo or CP to accelerate traffic when present.
The absence of high CPU usage does not indicate the absence of packet loss.
Packet loss may occur due to the capacity of the TAP devices hitting maximum traffic volume during mirroring, or on the FortiGate when the kernel buffer size is exceeded and it is unable to handle bursts of traffic.
Related link.
