I am attempting to setup a VoIP call recording system. The system works by mirroring traffic from the phone sets that need to be recorded to a port that has the recording system interface connected to it. The phone sets in question are connected to different switches throughout the campus, all switches are managed through the Fortilink switch manager in the Fortigate.
I have setup the switch-controller traffic-sniffer in the FG as an RSPAN and then set the target in/out ports for the switches and the respective ports that need to be mirrored, I set the port that the recording server's recording interface is connected to as VLAN 4092 native. However, the traffic is never making it to the recording server interface.
If I run a packet capture in the Fortigate for VLAN 4092, I can see all the mirrored traffic, so I know the traffic is making it to VLAN 4092, but it is not making it to the server's recording interface. If I enable packet sampling on the server interface and run a diag sniffer packet for that port, it too shows that none of the mirror traffic is making it to that port.
I have been working on this for two weeks, with Fortinet support also involved and no one can seem to figure out how to make it work.
The hardware involved is an HA pair of FG601E v6.4.8 firewalls and a mix of FS248E-FPOE and FS448E-FPOE switches running 7.0.1 or 7.0.2 code. All hardware being used is stated to support SPAN, RSPAN and ERSPAN.
Created on 04-14-2022 09:52 PM
Hello joejackson,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Fortinet Community Team
Created on 04-25-2022 05:53 AM
Hello @joejackson ,
Thank you for posting to Fortinet Community Forum. As per your query in RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.
NOTE: RSPAN is supported on FSR-112D-POE, FSR-124D, and on platforms 2xx and higher.
In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP ping. If no IP address is specified, the traffic is not mirrored.
https://docs.fortinet.com/document/fortiswitch/6.4.2/administration-guide/428704/mirroring
Also can you please show the traffic sniffer you were able to see the traffic for VLAN 4092
Thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.