I want to implement Decrypted Traffic Mirror feature but I haven't seen a Fortinet document that would explain the Destination MAC meaning. What is it?
1a. The MAC for the webserver whose decrypted traffic will be mirrored?
1b. The MAC for the capturing server which captures the decrypted SSL traffic? It is more likely this case because the same GUI window also needs a port to send the decrypted traffic to.
2. If the given example with ff:ff:ff:ff:ff:ff works for all cases then what is the meaning of those f's? Is it a filter or exact-match value? What changes when I replace that part with ff:ff:ff:ff:ff:f0 or any other real value? I guess that depends on the answer from the first question. Why isn't there an IP-address instead, whichever case it is (1a or 1b)? Is there anything to do with mirroring the traffic to multiple servers and all f's send this traffic to all servers behind the physical/virtual port?