Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortigate
New Contributor

One-Arm Sniffer port and logging to Forticloud

Hi!

My scheme

HP 2530-24G switch with configured mirror port. Fortigate 100D connected to this port.

On the Fortigate I configured lan port as One-Arm Sniffer  and check 

Include Non-IP Packets

and Log Allowed Traffic  All Sessions

no Secuity profiles enabled

In this situation there are no logs in the Sniffer Traffic section of the Log&Report

If I enable some Security Profile I can see some logs then. But I want log all sessions. Not filter it by applications or something else.

Is it possible to achieve?

Thanks

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

I haven't done but this cookbook says how to do it with FortiAnalyzer including traffic log.

https://docs.fortinet.com/uploaded/files/1874/analyzing-your-network-traffic-using-a-one-armed-sniff...

If it's doable with FortiAnalyzer, I would assume the same goes for FortiCloud. Based on CLI "config log fortiguard" for FortiCloud, it seems to have same/similar log setting capability with "config log fortianalyzer".

darwin_FTNT

In one-arm sniffer mode, the traffic log is generated by ipsengine daemon (which is a wrapper for libips.so).  So have to enable flow-based utm that will startup the process ipsengine.  One-arm sniffer mode is mainly for ips originally but generating traffic log was added later on.  Kernel done very limited processing on packets when in sniffer mode.  Also in sniffer mode, packets can't be blocked but only logged as this is a read-only network operation.

 

In normal firewall policy, the sessions are handled by kernel and the traffic log is sent by kernel to miglogd.  You can verify this by doing 'diag sys session list' in one-arm sniffer mode and the kernel sessions are empty.  Traffic logs could be generated by kernel and also proxy daemon if the sessions are managed by them.

 

Currently, the gui doesn't fully support all the statistics gathered in sniffer mode but should be gradually implemented overtime.

fortigate

darwin wrote:

In one-arm sniffer mode, the traffic log is generated by ipsengine daemon (which is a wrapper for libips.so).  So have to enable flow-based utm that will startup the process ipsengine.  One-arm sniffer mode is mainly for ips originally but generating traffic log was added later on.  Kernel done very limited processing on packets when in sniffer mode.  Also in sniffer mode, packets can't be blocked but only logged as this is a read-only network operation.

its completely ok, I just need to log traffic from mirror port, nothing need to be blocked

so what is your advice: turn on ipflow generator and use Fortigate as flow collector? if yes, the how to configure it on the device?

As far as I understand, its not possible to log clear sniffer traffic (means just source-destination ip sessions)?

thanks

 

darwin wrote:

In normal firewall policy, the sessions are handled by kernel and the traffic log is sent by kernel to miglogd.  You can verify this by doing 'diag sys session list' in one-arm sniffer mode and the kernel sessions are empty.  Traffic logs could be generated by kernel and also proxy daemon if the sessions are managed by them.

looks like its not for me, cause I'm not using Fortigate as firewall device, just monitoring (for now)

 

darwin_FTNT

Traffic log contains a session summary.  Utm event logs contains a bit more details triggered per event for a single session.  E.g., for app-control, it could displays ssl certificate issuer, detected app name.  For webfilter utm profile, it displays the host and url if log-all is enabled in the profile.  For IPS, can also enable logging of pre/post packets during detected attack (see IPS utm profile details in CLI). The traffic logs and utm logs are both linked together by session id or serial (unique per session but could reset if rebooted as this is a incremental global counter only starting from 1).  You can filter by fields.  To view these logs in CLI, do:

# execute log filter category  Available categories: 0: traffic 1: event 2: utm-virus 3: utm-webfilter 4: utm-ips 5: utm-emailfilter 7: anomaly 8: voip 9: utm-dlp 10: utm-app-ctrl 12: utm-waf 14: gtp 15: dns

 

To enable one-arm sniffer mode on an interface:

 

# config system interface

(interface) # edit port1

(port1) # set ips-sniffer-mode enable

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors