Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kbahrudin_FTNT
Staff
Staff

Created on ‎07-22-2015 05:34 PM Edited on ‎08-28-2025 12:47 AM By Moderator

Article Id 191137

Technical Tip: SPAN (Port Mirroring) using ports associated to underlying switch chip/driver

Description

 
This article explains how to set up SPAN (Port Mirroring) using ports associated with the underlying switch chip/driver.


Scope

 
FortiGate, SPAN (Port Mirroring).


Solution

 
The Switch Port Analyzer (SPAN) feature is now available for Hardware Switch interfaces on FortiGate models with built-in hardware switches.

Confirming which models contain a built-in hardware switch can be done by consulting the FortiOS Feature/Platform Matrix on docs.fortinet.com and selecting the FortiOS version closest to the one running on the device, and looking for 'Virtual Hardware Switch' once the file is downloaded.

Link to platform/feature matrix: FortiOS Feature/Platform Matrix.
 
To enable SPAN on a hardware switch via the GUI, go to System > Network > Interfaces and edit a hardware switch interface.

By default, the system may have a hardware switch interface called LAN. A new hardware switch interface can also be created.
  • Select the SPAN check box, then select a source port from which traffic will be mirrored.
  • Select the destination port to which the mirrored traffic is sent.
  • Select to mirror traffic received, traffic sent, or both.

SPAN can also be enabled in the CLI:
 
config system virtual-switch
    edit <Name of the virtual switch>
        set span enable
        set span-source-port <port>
        set span-dest-port <port>
        set span-direction {both | tx | rx}
    end
end

 

Notes:

  • The hardware switch does not support multiple source ports. To specify multiple source ports for SPAN, it is possible to use a software switch instead. 

 

config system switch-interface 
    edit <name>
        set vdom *vdom name*

        set member <port1> <port2> <port3>  <----- Define the port member list here.

        set span enable
        set span-source-port <port1> <port2>   <----- Multiple ports specified separated by space.
        set span-dest-port <port3>
        set span-direction {both | tx | rx}
    end
end

 

  • The span-source-port and span-dest-port must belong to the port member list.

If mirroring WAN interfaces is required, it is necessary to create a virtual switch interface and add at least two ports to it: one for the WAN connection and one for the mirror port. The virtual switch interface should function as the WAN connection without issues.

 

  • It is important to note that before adding the WAN port to the virtual switch, it is necessary to remove the WAN port from all existing references. After configuring the virtual switch and the port mirroring, it is recommended to update the firewall policies and any other references to replace the old WAN interface with the new WAN-SPAN interface.

 

Notes:

  • Only SPAN is supported on the FortiGate; RSPAN and ERSPAN are not supported. RSPAN and ERSPAN are only available on FortiSwitch.
  • Port mirroring is not possible on the FortiLink interface on FortiGate. However, it can be achieved on the FortiSwitch.
  • The FortiGate 90E/91E does not support span ports on interfaces using the software switch function.

Technical Tip: Software Switch Span Port not supported on FortiGate 90E/91E.

 

Related article:

Technical Tip: SPAN (Port Mirroring)

125630
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.