FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 198276

Description


This article explains how to setup SPAN (Port Mirroring) using ports associated to underlying switch.

 

Scope

 

FortiGate.


Solution

 

The Switch Port Analyzer (SPAN) feature is now available only when type is switch. Port spanning echoes traffic received by the software switch to the span destination port. Port spanning can be used to monitor all traffic passing through the soft switch. You can also configure the span destination port and the span source ports, which are the switch ports for which traffic is echoed. Disabled by default.

SPAN for soft switch can be enabled in the CLI:

 

config system switch-interface

        edit <port>
            set vdom <vdom-name> --> Enter the name of the VDOM, if no VDOMS are configured then it will be root
            set member “port no” “port no” --> These are the ports that you want to add to your span port configuration.
            set span enable
            set span-source-port <port no>
            set span-dest-port port
            set span-direction {both | Tx | Rx}
        end
    end

 

Enter the span port destination port name. All traffic on the span source ports is echoed to the span destination port. Use <tab> to advance through the list of available interfaces. Available when the SPAN is enabled.

 

span-direction {rx | tx | both}

 

Select the direction in which the span port operates:

 

  • rx copy only received packets from source SPAN ports to the destination SPAN port.
  • tx copy only transmitted packets from source SPAN ports to the destination SPAN port.
  • Both (the default) copy both transmitted and received packets from source SPAN ports to the destination SPAN port.

 

Example: 

 

To create SPAN on Software switch the Software switch should be created first

 

  • Create the Software switch under Network -> Interfaces, select 'Create New', select type 'Software switch' and Add the interfaces as members ------------->= port5 and port6 for example

 

ekrishnan_0-1722833665765.png

 

Once the Software switch is created use the CLI to enable SPAN on the interfaces.

Example:

config system switch-interface
    edit "Test"
        set vdom "root"
        set member "port5" "port6"
        set span enable
        set span-dest-port "port6"
        set span-source-port "port5"
    next
end

 

The SPAN port can also be achieved using Hardware switch:

 

Example:

To create SPAN on Software switch the Hardware switch should be created first

  • Create the Software switch under Network -> Interfaces, select 'Create New', select type 'Hardware switch', and add the interfaces as members -------------> internal1 and internal2.

 

WhatsApp Image 2024-10-29 at 3.14.23 PM.jpeg

 

WhatsApp Image 2024-10-29 at 3.14.22 PM (2).jpeg

 

Once created the form the GUI SPAN can be enabled as below:

 

WhatsApp Image 2024-10-29 at 3.14.22 PM (1).jpeg

 WhatsApp Image 2024-10-29 at 3.14.22 PM.jpeg

 

CLI configuration:

 

config system interface
    edit "PortMirror"
        set vdom "root"
        set ip 192.168.2.1 255.255.255.0
        set type hard-switch
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 36
    next
end

 

config system virtual-switch
    edit "PortMirror"
        set physical-switch "sw0"
        set span enable
            config port
                edit "internal1"
            next
                edit "internal2"
            next
        end
            set span-source-port "internal1"
            set span-dest-port "internal2"
        next
    end

 

Intra-switch-policy Requirements (this cannot be changed after the switch is configured. Please delete the soft-switch and create it again.)

  • intra-switch-policy implicit is required to allow packet mirroring.