Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfrati
Staff
Staff

Created on ‎04-22-2025 01:30 AM

Article Id 388594

Technical Tip: How to display One-Armed Sniffer alerts when traffic is redirected using a Gigamon probe, using QinQ

Description In some cases, even if the traffic is actually seen on the One-Arm sniffer interface (using diagnose snif packet, …), no Sniffer Logs may be displayed.
Scope FortiGate v7.2+.
Solution

FortiGate can be configured as an IDS, and it is described here how to set one interface in this particular mode to detect potential intrusions: One-arm sniffer.


Example of configuration, setting port34 in One-Arm sniffer mode:

 

config system interface
edit "port34"
set vdom "root"
set ips-sniffer-mode enable
set type physical
set snmp-index 34
next
end

config ips sensor
edit "sniffer-profile"
config entries
edit 2
set rule 29844
set status enable
set log-packet enable
set action block
next
end
next
end

config firewall sniffer
edit 1
set interface "port34"
set ips-sensor-status enable
set ips-sensor "sniffer-profile"
next
end


In some cases, even if the traffic is actually seen on the One-Arm sniffer interface (using diagnose snif packet …) and this interface is properly configured as an IDS port (and the connected switch's port configured as a mirror, and IPS selected in interface policy), no Sniffer Logs may be displayed.


The reason is that some network probes can be configured to encapsulate the traffic before transferring it to the IDS for analysis. For instance, a Gigamon probe can transfer the traffic encapsulated in QinQ.
Because of this intermediate TAP device doing QinQ, the Sniffer Logs are not displayed because not analyzed by the IDS/IPS engine by default.

 

To get the encapsulated traffic analyzed for the two following VLANs, make the following changes:

 

config firewall sniffer
edit 1
set non-ip enable
set vlan "123,456"
next
end

 

Then it is possible to display the One-Arm sniffer logs:

 

# execute log detail 4 65531-0
1 logs found.
1 logs returned.

1: date=2024-10-10 time=10:58:54 eventtime=1728583134187225745 tz="-0700" logid="0419016384" type="utm" subtype="ips" 
eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 
dstcountry="Reserved" srcintf="port34" srcintfrole="undefined" dstintf="port34" dstintfrole="undefined" sessionid=17 
action="dropped" proto=6 service="HTTP" policyid=1 poluuid="45300792-872d-51ef-4e98-3309c98d96c0" policytype="sniffer" 
attack="Eicar.Virus.Test.File" srcport=57056 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.68.0" 
httpmethod="GET" direction="incoming" attackid=29844 profile="sniffer-profile" ref="http://www.fortinet.com/ids/VID29844" 
incidentserialno=254804000 msg="file_transfer: Eicar.Virus.Test.File"


Related documents:
256
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.