Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
acsuser
New Contributor

Port mirroring

Hi I am looking for a Fortigate with port mirroring functionality and i cant find any information about what models can do this, can the 60d do this or do i need to look for a bigger appliance? 

 

Thanks

1 Solution
neonbit
Valued Contributor

The Fotinet Feature/Platform Matrix shows which devices have hardware switches:

 

http://docs.fortinet.com/d/fortigate-fortios-5.6-feature-platform-matrix

 

View solution in original post

13 REPLIES 13
Adrian_Buckley_FTNT

That feature requires a Hardware switch and 5.2+ firmware. So any model that has a hardware switch (not a software based switch) can do port span.

I think there was some 5.0.x experimentation with allowing the feature on software switches.  However, when you think about that it's pretty easy to see why it could fail fairly spectacularly when under load.

 

Some of the lower end models (like the 60D) have a built in switch, but the internal controls are done via software.  Larger devices (like the 100D) have packet control of the switch handled through hardware.  I'm not sure about devices in between like the 90D but I'm fairly sure those are software.  So you probably need a 100D or larger device, with a built in switch.

 

 

Shawn_W
Contributor

From the FortiOS CLI reference, under system > switch-interface:

config system switch-interface
edit <group_name>
set member <iflist>
set span {enable | disable}
set span-dest-port <portnum>
set span-direction {rx | tx | both}
set span-source-port <portlist>
set type {hub | switch | hardware-switch}
set vdom <vdom_name>
end
acsuser

Thanks Shawn, what appliance range is this for?

 

Shawn W wrote:

From the FortiOS CLI reference, under system > switch-interface:

config system switch-interface
edit <group_name>
set member <iflist>
set span {enable | disable}
set span-dest-port <portnum>
set span-direction {rx | tx | both}
set span-source-port <portlist>
set type {hub | switch | hardware-switch}
set vdom <vdom_name>
end

Shawn_W

I am not certain.  I found this in the FortiOS CLI Reference for FortiOS 5.0

justinhatem

Working on similar for a 201e firewall. 

 

I don't see the options in the GUI, however the CLI seems to support the commands.  However, it won't let me use wan1 as a member, or a span source.  Also, my switch ports (13 and 14) are an aggregate, so I am unable to select those either.  Any ideas? 

 

Trying to do something like this: 

wf-fw01 (mirror) # show
config system switch-interface
    edit "mirror"
        set vdom "root"
        set span enable
    next
end
 
wf-fw01 (mirror) # set member port8
 
wf-fw01 (mirror) # set member wan1
entry not found in datasource
 
value parse error before 'wan1'
Command fail. Return code -3
 
wf-fw01 (mirror) #  
Adrian_Buckley_FTNT

As i mentioned 5.0 allowed this for software switches as well.  That's a bad idea since high CPU levels cause dropped packets. 

5.2+ won't allow the feature to be used on a device with a software switch, so if you don't get the right device you might wind up not being able to upgrade.

emnoc
Esteemed Contributor III

Take Adrian advice.

 

The cmds do exist even on the lower end models which is misleading btw ( 5.2.x ), and it will not allow you to select any ports after the enabling  span.

 

Also with the  span activity it's against "real ports" vrs  virtual interfaces. So keep this in mind if you have  vlan-interface, tunnels,etc....

 

As far as CPU impact even the larger chassis has shown a slight uptick in CPU usage from my experience.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
acsuser
New Contributor

OK then i think a separate aggregation tap is required!

 

emnoc wrote:

Take Adrian advice.

 

The cmds do exist even on the lower end models which is misleading btw ( 5.2.x ), and it will not allow you to select any ports after the enabling  span.

 

Also with the  span activity it's against "real ports" vrs  virtual interfaces. So keep this in mind if you have  vlan-interface, tunnels,etc....

 

As far as CPU impact even the larger chassis has shown a slight uptick in CPU usage from my experience.

 

 

 

Lionel_Orishane

Hi Experts,

 

I'm considering a scenario to SPAN traffic on the FortiGate, then have it sent to an attached pcap analyzer application (like Deep Discovery Inspector appliance) to analyze the packet for deeper visibility.

 

Kindly advise with your expertise. 

 

Regards,

Lionel

Labels
Top Kudoed Authors