Fortinet black logo

Hardware Acceleration

Home FortiGate / FortiOS 7.4.2 Hardware Acceleration
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.4.5
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.9
6.2.7
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
5.6.0

Mirroring packets offloaded by NP7 processors

Mirroring packets offloaded by NP7 processors

Using NP7 packet mirroring, you can mirror (or copy) packets offloaded by NP7 processors to a FortiGate interface. The interface sends the mirrored packets to an external server for storage or analysis.

You configure NP7 packet mirroring by enabling port-morroring for a physical interface. Once enabled, all traffic passing through that interface that is offloaded by NP7 processors can be copied to a mirroring interface (mirroring-port). You can configure NP7 packet mirroring to send all packets passing through the interface in either direction or you can mirror just packets sent (tx) or received (rx) by the interface.

config system interface

edit <interface-name>

set port-mirroring {disable | enable}

set mirroring direction {both | rx | tx}

set mirroring-port <interface-name>

end

For example, use the following command to mirror all NP7-offloaded packets sent by the port7 interface to the port20 interface.

config system interface

edit port7

set port-mirroring enable

set mirroring direction tx

set mirroring-port port20

end

You must send the mirrored packets to a different interface than the interface that sends or receives them. You can enable NP7 packet mirroring for multiple interfaces and send mirrored packets from more than one interface to the same mirroring interface.

Filtering mirrored packets

For each interface that is mirroring NP7 packets, you can optionally configure mirror filtering to restrict the packets that are mirrored. Mirror filtering can restrict packet mirroring by source IP address, destination IP address, source port, destination port, and protocol.

You can create one filter per interface. The default setting of each option means no filtering.

config system interface

edit <interface-name>

set port-mirroring enable

config mirroring-filter

set filter-srcip <ip-address>

set filter-dstip <ip-address>

set filter-sport <port>

set filter-dport <port>

set filter-protocol <protocol>

end

Previous
Next

Mirroring packets offloaded by NP7 processors

Using NP7 packet mirroring, you can mirror (or copy) packets offloaded by NP7 processors to a FortiGate interface. The interface sends the mirrored packets to an external server for storage or analysis.

You configure NP7 packet mirroring by enabling port-morroring for a physical interface. Once enabled, all traffic passing through that interface that is offloaded by NP7 processors can be copied to a mirroring interface (mirroring-port). You can configure NP7 packet mirroring to send all packets passing through the interface in either direction or you can mirror just packets sent (tx) or received (rx) by the interface.

config system interface

edit <interface-name>

set port-mirroring {disable | enable}

set mirroring direction {both | rx | tx}

set mirroring-port <interface-name>

end

For example, use the following command to mirror all NP7-offloaded packets sent by the port7 interface to the port20 interface.

config system interface

edit port7

set port-mirroring enable

set mirroring direction tx

set mirroring-port port20

end

You must send the mirrored packets to a different interface than the interface that sends or receives them. You can enable NP7 packet mirroring for multiple interfaces and send mirrored packets from more than one interface to the same mirroring interface.

Filtering mirrored packets

For each interface that is mirroring NP7 packets, you can optionally configure mirror filtering to restrict the packets that are mirrored. Mirror filtering can restrict packet mirroring by source IP address, destination IP address, source port, destination port, and protocol.

You can create one filter per interface. The default setting of each option means no filtering.

config system interface

edit <interface-name>

set port-mirroring enable

config mirroring-filter

set filter-srcip <ip-address>

set filter-dstip <ip-address>

set filter-sport <port>

set filter-dport <port>

set filter-protocol <protocol>

end

Previous
Next