Mirror traffic of Ipsec interface

Sego · ‎08-03-2023

Hi all,

In scenario with two location connected via ipsec tunnel, remote office is accessing internet through wan port in main office, is it possible to capture and send traffic, remote office - internet and vice versa traffic, to analysis sensor?

Something like port mirroring in L2 world.

Thank you,

Drazen

Toshi_Esumi · ‎08-03-2023

That wouldn't be so easy in the way you want to duplicate the specific traffic and send it to a physical port. Because once the traffic hit the FSW you have it's encapsulated&encrypted. So it has to be duplicated before hitting/after coming out of the IPSec interface inside of the FGT.
One thing I can think of as possibility is setting up sflow on the IPsec interface to the IP for the monitoring device. The IPsec interface itself seem to accepts the sflow config so it should work. But don't know if it's before or after the encapsulation/encryption. I almost never used sflow before.

Also I'm almost sure you have to disable ASIC offloading on the IPSec policies.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-sFlow/ta-p/196930

Toshi

View solution in original post

Toshi_Esumi · ‎08-03-2023

Not exactly sure about your analogy of mirroring. But if you want to capture traffic from/to the remote office on the local side, you can sniff packets on the IPsec interface like...

diag sniffer packet <Phase1_Interface_Name> '<whatever_filters_you_want>' 6 0 l

You likely need to disable ASIC offloading on those in/out IPsec policies though, with like...

set auto-asic-offload disable

Toshi

Sego · ‎08-03-2023

Thx Toshi,

In main office i have span port configured on fortiswich, uplink from switch to fortigate is mirrorred to another port where analysis software is running.

I would like to send traffic originating from remote office also one which is destinated to remote office to that analyis software ( vm in separate vlan in main office).

Hope i explained it better now.

Ty

Toshi_Esumi · ‎08-03-2023

That wouldn't be so easy in the way you want to duplicate the specific traffic and send it to a physical port. Because once the traffic hit the FSW you have it's encapsulated&encrypted. So it has to be duplicated before hitting/after coming out of the IPSec interface inside of the FGT.
One thing I can think of as possibility is setting up sflow on the IPsec interface to the IP for the monitoring device. The IPsec interface itself seem to accepts the sflow config so it should work. But don't know if it's before or after the encapsulation/encryption. I almost never used sflow before.

Also I'm almost sure you have to disable ASIC offloading on the IPSec policies.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-sFlow/ta-p/196930

Toshi

Sego · ‎08-03-2023

Toshi,

one more thing, i thought of setting rspan mirror on port where FSW and FG are connected and send to collector on other side of tunnel.

I will try also with sflow.

Ty so much,

Drazen

Toshi_Esumi · ‎08-04-2023

As I said before that point of traffic would be encrypted. Also be aware that disabling ASIC offloading would affect performance. For test purpose it's ok but if it's semi-permanent I wouldn't do that.

Toshi

Mirror traffic of Ipsec interface

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website