Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
echo
Contributor II

Created on ‎05-19-2022 10:16 AM

Decrypted Traffic Mirror questions

Hello!

I want to implement Decrypted Traffic Mirror feature but I haven't seen a Fortinet document that would explain the Destination MAC meaning. What is it?

1a. The MAC for the webserver whose decrypted traffic will be mirrored?

1b. The MAC for the capturing server which captures the decrypted SSL traffic? It is more likely this case because the same GUI window also needs a port to send the decrypted traffic to.

2. If the given example with ff:ff:ff:ff:ff:ff works for all cases then what is the meaning of those f's? Is it a filter or exact-match value? What changes when I replace that part with ff:ff:ff:ff:ff:f0 or any other real value? I guess that depends on the answer from the first question. Why isn't there an IP-address instead, whichever case it is (1a or 1b)? Is there anything to do with mirroring the traffic to multiple servers and all f's send this traffic to all servers behind the physical/virtual port?

Labels:
1912
0 Kudos
1 Solution
jintrah_FTNT
Staff
Staff

Created on ‎05-20-2022 12:33 AM

Hi,

 

Yes, you are right. The mac address is a broadcast address so that any host behind the mirrored port interface could get the traffic. You can configure with a real value too if intended only to be send to one specific host for reception.

 

Best regards,

Jin

View solution in original post

1902
3 REPLIES 3
jintrah_FTNT
Staff
Staff

Created on ‎05-20-2022 12:33 AM

Hi,

 

Yes, you are right. The mac address is a broadcast address so that any host behind the mirrored port interface could get the traffic. You can configure with a real value too if intended only to be send to one specific host for reception.

 

Best regards,

Jin

1903
echo
Contributor II
In response to jintrah_FTNT

Created on ‎05-20-2022 12:54 AM

Thank you for information. So I understand it means this:

1. All f's means "MAC-broadcast": any server behind the port gets the traffic.

2. Anything else is only a specific MAC and only server with this MAC will get the decrypted traffic.

1847
jintrah_FTNT
Staff
Staff
In response to echo

Created on ‎05-20-2022 01:00 AM

Yes, that's absolutely correct!

 

best regards,

Jin

1846
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.