Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kbahrudin_FTNT
Staff
Staff

Created on ‎07-22-2015 05:34 PM Edited on ‎05-22-2025 07:04 AM By Moderator

Article Id 191137

Technical Tip: SPAN (Port Mirroring) using ports associated to underlying switch chip/driver

Description

 
This article explains how to setup SPAN (Port Mirroring) using ports associated to underlying switch chip/driver.


Scope

 
FortiGate, SPAN (Port Mirroring).


Solution

 
The Switch Port Analyzer (SPAN) feature is now available for Hardware Switch interfaces on FortiGate models with built-in hardware switches.

Confirming which models contain a built-in hardware switch can be done by consulting the FortiOS Feature/Platform Matrix on docs.fortinet.com and selecting the FortiOS version closest to the one running on the device and looking for 'Virtual Hardware Switch' once the file is downloaded.

Link to platform/feature matrix: FortiOS Feature/Platform Matrix
 
To enable SPAN on a hardware switch via the GUI, go to System > Network > Interfaces and edit a hardware switch interface.

By default, the system may have a hardware switch interface called LAN. A new hardware switch interface can also be created.
  • Select the SPAN check box, then select a source port from which traffic will be mirrored.
  • Select the destination port to which the mirrored traffic is sent.
  • Select to mirror traffic received, traffic sent, or both.

SPAN can also be enabled in the CLI:
 
config system virtual-switch
    edit <Name of the virtual switch>
        set span enable
        set span-source-port <port>
        set span-dest-port <port>
        set span-direction {both | tx | rx}
    end
end

 

Note:

The hardware switch does not support multiple source ports. To specify multiple source ports for SPAN, it is possible to use a software switch instead. 

 

config system switch-interface 
    edit <port>
        set span enable
        set span-source-port <port> <port>   <----- Multiple ports specified separated by space.
        set span-dest-port <port>
        set span-direction {both | tx | rx}
    end
end

 

Note:

If mirroring WAN interfaces is required, it is necessary to create a virtual switch interface and add at least two ports to it: one for the WAN connection and one for the mirror port. The virtual switch interface should function as the WAN connection without issues.

 

It is important to note that before adding the WAN port to the virtual switch, it is necessary to remove the WAN port from all existing references. After configuring the virtual switch and the port mirroring, it is recommended to update the firewall policies and any other references to replace the old WAN interface with the new WAN-SPAN interface.

 

Note: 

Only SPAN is supported on the FortiGate; RSPAN and ERSPAN are not supported. RSPAN and ERSPAN are only available on FortiSwitch.

 

Note:

Port mirroring is not possible on the FortiLink interface on FortiGate. However, it can be achieved on the FortiSwitch.

 

Related article:

Technical Tip: SPAN (Port Mirroring)

120691
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.