Description
This article explains how to setup SPAN (Port Mirroring) using ports associated to underlying switch chip/driver.
Scope
SPAN (Port Mirroring).
Solution
The Switch Port Analyzer (SPAN) feature is now available for hardware switch interfaces on FortiGate models with built-in hardware switches (for example, the FortiGate-100D, 140D, and 200D, etc.)
To enable SPAN on a hardware switch via the GUI, go to System > Network > Interfaces and edit a hardware switch interface.
By default, the system may have a hardware switch interface called LAN. A new hardware switch interface can also be created.
- Select the SPAN check box, then select a source port from which traffic will be mirrored.
- Select the destination port to which the mirrored traffic is sent.
- Select to mirror traffic received, traffic sent, or both.
SPAN can also be enabled in the CLI:
config system virtual-switch
edit <Name of the virtual switch>
set span enable
set span-source-port <port>
set span-dest-port <port>
set span-direction {both | tx | rx}
end
end
Note:
The hardware switch does not support multiple source ports. To specify multiple source ports for SPAN, it is possible to use a software switch instead.
config system switch-interface
edit <port>
set span enable
set span-source-port <port> <port> <----- Multiple ports specified separated by space.
set span-dest-port <port>
set span-direction {both | tx | rx}
end
end
Note:
If mirroring WAN interfaces is required, it is necessary to create a virtual switch interface and add at least two ports to it: one for the WAN connection and one for the mirror port. The virtual switch interface should function as the WAN connection without issues.
It is important to note that before adding the WAN port to the virtual switch, it is necessary to remove the WAN port from all existing references. After configuring the virtual switch and the port mirroring, it is recommended to update the firewall policies and any other references to replace the old WAN interface with the new WAN-SPAN interface.
