|
A feature is available on chassis-based FortiGates (6000F, 7000E, and 7121F) that allows the administrator to capture traffic at the ISF (integrated Switch Fabric) level. This means that traffic can be captured before leaving the FortiGate at the physical level. This also applies to traffic entering the FortiGate. This feature will activate the interface f-mirror for the selected physical interface on the dataplane.
The following are the elements involved when packets enter a 6000F device:
- Packet on the fiber.
- Handled by SFP.
- Handled by DP (distribution processor).
- Forwarded by ISF to FPC.
- Goes to NP6 on FPC and eventually on the host CPUs.
Capture for regular packet capture gives packets that are handled by CPUs.
See Troubleshooting Tip: Using the FortiOS built-in packet sniffer for more information.
This article will demonstrate how to capture traffic at the physical level with the prefix 'sw:'.
This can have a number of benefits:
- It is easier to ensure the traffic is properly transmitted from ISF to FPC and vice versa.
- It is easier to ensure the traffic is properly transmitted from ISF to SFP.
- It provides a view of the entire flow even when it's offloaded on FPC. This information is not visible in a regular packet sniff because it is not handled by the CPU hosts.
For example:
Traffic is going to be captured on port25 at ISF Level for vlan1062.
Command to be used:
diagnose sniffer packet sw:port25 '(vlan 1062 and tcp) or (vlan 1062 and tcp)' 4 0 l
- 'sw:' will activate the f-mirror interface.
- The filter setup is split for egress and ingress traffic. A traffic selector is needed for both ways.
- (vlan 1062 and tcp) filters for one way.
- (vlan 1062 and tcp) filters for the other way.
In FortiOS 7.2.x and 7.4.x, the command has been changed to the following:
diagnose span-sniffer packet sw:port25 '(vlan 1062 and tcp) or (vlan 1062 and tcp)' 4 0 l
The following information will display in the terminal window:
[MBD ] 2023-07-03 14:39:43.803130 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.79.31436 -> 10.0.62.10.80: psh 1026859065 ack 207576893
[MBD ] 2023-07-03 14:39:43.803133 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.101.31436 -> 10.0.62.10.80: psh 2044382639 ack 4211484478
[MBD ] 2023-07-03 14:39:43.803141 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.103.49974 -> 10.0.62.10.80: psh 3403221988 ack 592061836
[MBD ] 2023-07-03 14:39:43.803194 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.16.49984 -> 10.0.62.10.80: psh 2450217422 ack 2741313910
[MBD ] 2023-07-03 14:39:43.803206 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.44.49984 -> 10.0.62.10.80: psh 3504603645 ack 1654515949
PSH TCP packets are usually offloaded, but can be shown with the feature above.
In addition, this command can be run without a filter. All traffic reaching port25 will displayed upon doing so.
It is highly recommended to use a traffic filter to prevent CPUs in the MBD from being overloaded by the mirrored traffic.
diagnose sniffer packet sw:port25 '' 4 0 l
In FortiOS 7.2.x and 7.4.x, the command has been changed to the following:
diagnose span-sniffer packet sw:port25 '' 4 0 l
Consequently, traffic from vlan 1059 and 1062 will be displayed:
[MBD ] 2023-07-03 15:56:01.605795 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.26.28513 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605796 f-mirror -- port25 out 802.1Q vlan#1059 P0 10.0.62.14.53 -> 10.0.59.17.47026: udp 142
[MBD ] 2023-07-03 15:56:01.605797 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.40.10000 -> 10.0.62.14.53: udp 33
[MBD ] 2023-07-03 15:56:01.605798 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.25.47024 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605799 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.39.47024 -> 10.0.62.14.53: udp 30
[MBD ] 2023-07-03 15:56:01.605800 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.68.47026 -> 10.0.62.14.53: udp 30
[MBD ] 2023-07-03 15:56:01.605800 f-mirror -- port25 out 802.1Q vlan#1059 P0 10.0.62.14.53 -> 10.0.59.86.10000: udp 142
[MBD ] 2023-07-03 15:56:01.605801 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.29.47026 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605801 f-mirror -- 802.1Q vlan#1062 P0 10.0.62.14.53 -> 10.0.59.38.47025: udp 142
[MBD ] 2023-07-03 15:56:01.605802 f-mirror -- port25 out 802.1Q vlan#1059 P0 10.0.62.14.53 -> 10.0.59.17.10002: udp 33
[MBD ] 2023-07-03 15:56:01.605802 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.33.47026 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605803 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.19.10002 -> 10.0.62.13.5247: udp 469
Note that only one physical port can be mirrored at a time.
Note: To collect all packet flow on Firewall including IP address and without IP address at any interface run the following command
diagnose sniffer packet any "none" 4 0 l
Below is the output for the command
2024-10-22 17:37:53.174388 internal out 185.232.211.11.22264 -> 192.168.1.22.3389: ack 2787726683
2024-10-22 17:37:53.292724 wan1 in arp who-has 10.0.0.10 tell 10.0.0.1
2024-10-22 17:37:53.292746 wan1 out arp reply 10.0.0.10 is-at ac:71:2e:fd:f0:44
2024-10-22 17:37:53.399247 wan1 in fe80::3e2d:9eff:fe9b:ecdb -> ff02::1: icmp6: router advertisement [flowlabel 0x41bd2]
|
