Description
This article explains how to setup SPAN (Port Mirroring) using ports associated to underlying switch.
Scope
FortiGate.
Solution
The Switch Port Analyzer (SPAN) feature is available only when interface type is switch. Port spanning echoes traffic seen on a switch's SPAN source port(s) to the SPAN span destination port. Port Spanning is disabled by default.
Software Switch
SPAN for software switch can be enabled in the CLI:
config system switch-interface
edit <new-switch-name>
set vdom <vdom-name> --> Enter the name of the VDOM, if no VDOMS are configured it will be root.
set member <interface1> <interface2> --> interfaces to echo traffic from and to.
set span enable
set span-source-port <interface1>
set span-dest-port port <interface2> --> traffic on the span-source-port is echoed to the span-dest-port
set span-direction {Tx | Rx | both} --> echo Transmitted traffic, Received traffic, or both.
end
end
To remove/disable SPAN configuration:
Note:
For SPAN on software switch, the default setting 'intra-switch-policy implicit' is required. This cannot be changed after switch creation, see the article Technical Tip: Software switch policy
Example using software switch:
The software switch should be created first. See the article Technical Tip: Configuring software switch
Note:
An interface can only be added to a software switch if the interface has no IP configuration or references. Update firewall policies and any other references to refer to the software switch rather than the old interface, then add the interface to the software switch interface.
Once the software switch is created use the CLI to enable SPAN on the interfaces.
config system switch-interface
edit "Test"
set vdom "root"
set member "port5" "port6"
set span enable
set span-dest-port "port6"
set span-source-port "port5"
next
end
Hardware Switch:
For some platforms, SPAN can be configured using a Hardware switch, which can have better performance for heavy traffic. SPAN on hardware switch is not supported for platforms using NP7 or NP7XLite.
Example using Hardware Switch:
The Hardware switch should be created first.
Once created SPAN can be enabled from GUI as below:
CLI configuration:
config system interface
edit "PortMirror"
set vdom "root"
set ip 192.168.2.1 255.255.255.0
set type hard-switch
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 36
next
end
config system virtual-switch
edit "PortMirror"
set physical-switch "sw0"
set span enable
config port
edit "internal1"
next
edit "internal2"
next
end
set span-source-port "internal1"
set span-dest-port "internal2"
next
end
Port mirroring for NP7:
All platforms support SPAN for software switches, as demonstrated earlier in this article. NP7 platforms also support a hardware-based port mirroring feature, see v7.4.7 Hardware Acceleration: Mirroring packets offloaded by NP7 processors
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.