Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

FortiLink Network Sniffer Extension

In 6.0, the switch controller introduced traffic mirroring with a single switch. This provides a general capability, but can result in large volumes of traffic being mirrored. In 6.2, the new switch controller option of traffic-sniffer provides a targeted approach: mirrored traffic is always directed towards the FortiGate on a dedicated VLAN. This allows for easy sniffing by using the CLI or GUI. Additionally, the traffic can also be routed through the FortiGate using Encapsulated Remote Switched Port Analyzer (ERSPAN) for external analysis and storage.

With the new option, you can define targeted sniffers by IP or MAC address. Traffic matching is replicated to the FortiGate, which is helpful when you know what device you are looking for, but you don't know where it is located.

FortiLink networks can have multiple switches, and traffic typically traverses several switches. If each switch mirrors any match, the sniffer would see multiple copies of traffic. To reduce this, the targets are applied at the perimeter of the FortiSwitch network. Traffic entering by a user port or traffic from FortiGate is considered eligible for mirroring.

You can also enable traditional port-based sniffers in the ingress or egress direction.

All sniffer traffic arrives at the FortiGate using ERSPAN and the traffic is encapsulated in generic routing encapsulation (GRE).

You can only configure this feature using the CLI:

  • Use pre-defined sniffer-used switch VLAN interface:

    config system interface

    edit "snf.aggr1" ---> Newly added pre-defined switch vlan interface. Created automatically after the first FortiSwitch is discovered and authorized.

    set vdom "root"

    set ip 10.254.253.254 255.255.254.0

    set allowaccess ping

    set description "Sniffer VLAN"

    set snmp-index 33

    set switch-controller-traffic-policy "sniffer"

    set color 6

    set interface "aggr1"

    set vlanid 4092

    next

    end

  • Enable traffic sniffer based on target IP or MAC addresses on target ports of managed FortiSwitch units:

    config switch-controller traffic-sniffer ---> newly added>

    set erspan-ip 2.2.2.2 ---> Designated ERSPAN collector

    config target-mac

    edit 11:11:11:11:11:11

    next

    end

    config target-ip

    edit 4.4.4.4

    next

    end

    config target-port

    edit "S524DN4K1500XXXX"

    set in-ports "port2" "port4" "port6"

    set out-ports "port3" "port5" "port7"

    next

    end

    end

  • Use troubleshooting tools:

    FortiGate-500E (root) # diag switch-controller  switch-info mirror status S524DN4K1500XXXX 

    Managed Switch : S524DN4K1500XXXX

    flink.sniffer

    Mode                  : ERSPAN-auto

    Status                : Active

    Source-Ports:

    Ingress: port2, port4, port6

    Egress : port3, port5, port7

    Used-by-ACLs          : True

    Auto-config-state     : Resolved/Running

    Last-update  : 1464 seconds ago

    Issues       : None

    Collector-IP : 2.2.2.2

    Source-IP    : 10.254.252.208

    Source-MAC   : 08:5b:0e:ff:40:27

    Next-Hop     :

    IP                   : 10.254.253.254

    MAC                  : 00:09:0f:09:00:0c

    Via-System-Interface : sniffer

    VLAN                 : 4092(tagged)

    Via-Switch-Interface : G5H0E391790XXXX

FortiLink Network Sniffer Extension

In 6.0, the switch controller introduced traffic mirroring with a single switch. This provides a general capability, but can result in large volumes of traffic being mirrored. In 6.2, the new switch controller option of traffic-sniffer provides a targeted approach: mirrored traffic is always directed towards the FortiGate on a dedicated VLAN. This allows for easy sniffing by using the CLI or GUI. Additionally, the traffic can also be routed through the FortiGate using Encapsulated Remote Switched Port Analyzer (ERSPAN) for external analysis and storage.

With the new option, you can define targeted sniffers by IP or MAC address. Traffic matching is replicated to the FortiGate, which is helpful when you know what device you are looking for, but you don't know where it is located.

FortiLink networks can have multiple switches, and traffic typically traverses several switches. If each switch mirrors any match, the sniffer would see multiple copies of traffic. To reduce this, the targets are applied at the perimeter of the FortiSwitch network. Traffic entering by a user port or traffic from FortiGate is considered eligible for mirroring.

You can also enable traditional port-based sniffers in the ingress or egress direction.

All sniffer traffic arrives at the FortiGate using ERSPAN and the traffic is encapsulated in generic routing encapsulation (GRE).

You can only configure this feature using the CLI:

  • Use pre-defined sniffer-used switch VLAN interface:

    config system interface

    edit "snf.aggr1" ---> Newly added pre-defined switch vlan interface. Created automatically after the first FortiSwitch is discovered and authorized.

    set vdom "root"

    set ip 10.254.253.254 255.255.254.0

    set allowaccess ping

    set description "Sniffer VLAN"

    set snmp-index 33

    set switch-controller-traffic-policy "sniffer"

    set color 6

    set interface "aggr1"

    set vlanid 4092

    next

    end

  • Enable traffic sniffer based on target IP or MAC addresses on target ports of managed FortiSwitch units:

    config switch-controller traffic-sniffer ---> newly added>

    set erspan-ip 2.2.2.2 ---> Designated ERSPAN collector

    config target-mac

    edit 11:11:11:11:11:11

    next

    end

    config target-ip

    edit 4.4.4.4

    next

    end

    config target-port

    edit "S524DN4K1500XXXX"

    set in-ports "port2" "port4" "port6"

    set out-ports "port3" "port5" "port7"

    next

    end

    end

  • Use troubleshooting tools:

    FortiGate-500E (root) # diag switch-controller  switch-info mirror status S524DN4K1500XXXX 

    Managed Switch : S524DN4K1500XXXX

    flink.sniffer

    Mode                  : ERSPAN-auto

    Status                : Active

    Source-Ports:

    Ingress: port2, port4, port6

    Egress : port3, port5, port7

    Used-by-ACLs          : True

    Auto-config-state     : Resolved/Running

    Last-update  : 1464 seconds ago

    Issues       : None

    Collector-IP : 2.2.2.2

    Source-IP    : 10.254.252.208

    Source-MAC   : 08:5b:0e:ff:40:27

    Next-Hop     :

    IP                   : 10.254.253.254

    MAC                  : 00:09:0f:09:00:0c

    Via-System-Interface : sniffer

    VLAN                 : 4092(tagged)

    Via-Switch-Interface : G5H0E391790XXXX