Fortinet black logo

Administration Guide

One-arm sniffer

One-arm sniffer

You can use a one-arm sniffer to configure a physical interface as a one-arm intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured security profile. The matches are logged, and then all received traffic is dropped. Sniffing only reports on attacks; it does not deny or influence traffic.

You can also use the one-arm sniffer to configure the FortiGate to operate as an IDS appliance to sniff network traffic for attacks without actually processing the packets. To configure a one-arm IDS, enable sniffer mode on a physical interface and connect the interface to the SPAN port of a switch or a dedicated network tab that can replicate the traffic to the FortiGate.

If the one-arm sniffer option is not available, this means the interface is in use. Ensure that the interface is not selected in any firewall policies, routes, virtual IPs, or other features where a physical interface is specified. The option also does not appear if the role is set to WAN. Ensure the role is set to LAN, DMZ, or undefined.

One-arm sniffer supports VLAN, VXLAN, and GRE interfaces.

The following table lists some of the one-arm sniffer settings you can configure:

Field

Description

Security Profiles

The following profiles are configurable in the GUI and CLI:

  • Antivirus
  • Web filter
  • Application control
  • IPS
  • File filter

The following profiles are only configurable in the CLI:

  • Email filter
  • DLP
  • IPS DoS
Note

Each security profile has a predefined profile for One-Arm Sniffer called sniffer-profile. The sniffer-profile can be viewed or edited from the GUI through the Edit Interface page only. Please refer to the Example configuration for a demonstration.

CPU usage and packet loss

Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP, present. The one-arm sniffer may cause higher CPU usage and perform at a lower level than traditional inline scanning, which uses NTurbo or CP to accelerate traffic when present.

The absence of high CPU usage does not indicate the absence of packet loss. Packet loss may occur due to the capacity of the TAP devices hitting maximum traffic volume during mirroring, or on the FortiGate when the kernel buffer size is exceeded and it is unable to handle bursts of traffic.

Example configuration

The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer policy.

To configure a one-arm sniffer policy in the GUI:
  1. Go to Network > Interfaces and double-click a physical interface to edit it.

  2. For Role, select either LAN, DMZ, or Undefined.

  3. For Addressing Mode, select One-Arm Sniffer.

  4. In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.

  5. In the Rules table, click Create New.

  6. Configure the rule:

    1. For File types, click the + and select pdf and rar.

    2. For Action, select Block.

    3. Click OK to save the rule.

  7. Click OK to save the file filter profile.

  8. Click OK to save the interface settings.

  9. Go to Log & Report > Security Events to view the File Filter logs.

To configure a one-arm sniffer policy in the CLI:
  1. Configure the interface:

    config system interface
        edit "s1"
            set vdom "root"
            set ips-sniffer-mode enable
            set type physical
            set role undefined
            set snmp-index 31
        next
    end
  2. Configure the file filter profile:

    config file-filter profile
        edit "sniffer-profile"
            set comment "File type inspection."
            config rules
                edit "1"
                    set protocol http ftp smtp imap pop3 cifs
                    set action block
                    set file-type "pdf" "rar"
                next
            end
        next
    end
  3. Configure the firewall sniffer policy:

    config firewall sniffer
        edit 1
            set interface "s1"
            set file-filter-profile-status enable
            set file-filter-profile "sniffer-profile"
        next
    end
  4. View the log:

    # execute log filter category  19
    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20 srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1" dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile" direction="outgoing" action="blocked" rulename="1" filename="hello.pdf" filesize=9539 filetype="pdf" msg="File was blocked by file filter."

One-arm sniffer

You can use a one-arm sniffer to configure a physical interface as a one-arm intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured security profile. The matches are logged, and then all received traffic is dropped. Sniffing only reports on attacks; it does not deny or influence traffic.

You can also use the one-arm sniffer to configure the FortiGate to operate as an IDS appliance to sniff network traffic for attacks without actually processing the packets. To configure a one-arm IDS, enable sniffer mode on a physical interface and connect the interface to the SPAN port of a switch or a dedicated network tab that can replicate the traffic to the FortiGate.

If the one-arm sniffer option is not available, this means the interface is in use. Ensure that the interface is not selected in any firewall policies, routes, virtual IPs, or other features where a physical interface is specified. The option also does not appear if the role is set to WAN. Ensure the role is set to LAN, DMZ, or undefined.

One-arm sniffer supports VLAN, VXLAN, and GRE interfaces.

The following table lists some of the one-arm sniffer settings you can configure:

Field

Description

Security Profiles

The following profiles are configurable in the GUI and CLI:

  • Antivirus
  • Web filter
  • Application control
  • IPS
  • File filter

The following profiles are only configurable in the CLI:

  • Email filter
  • DLP
  • IPS DoS
Note

Each security profile has a predefined profile for One-Arm Sniffer called sniffer-profile. The sniffer-profile can be viewed or edited from the GUI through the Edit Interface page only. Please refer to the Example configuration for a demonstration.

CPU usage and packet loss

Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP, present. The one-arm sniffer may cause higher CPU usage and perform at a lower level than traditional inline scanning, which uses NTurbo or CP to accelerate traffic when present.

The absence of high CPU usage does not indicate the absence of packet loss. Packet loss may occur due to the capacity of the TAP devices hitting maximum traffic volume during mirroring, or on the FortiGate when the kernel buffer size is exceeded and it is unable to handle bursts of traffic.

Example configuration

The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer policy.

To configure a one-arm sniffer policy in the GUI:
  1. Go to Network > Interfaces and double-click a physical interface to edit it.

  2. For Role, select either LAN, DMZ, or Undefined.

  3. For Addressing Mode, select One-Arm Sniffer.

  4. In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.

  5. In the Rules table, click Create New.

  6. Configure the rule:

    1. For File types, click the + and select pdf and rar.

    2. For Action, select Block.

    3. Click OK to save the rule.

  7. Click OK to save the file filter profile.

  8. Click OK to save the interface settings.

  9. Go to Log & Report > Security Events to view the File Filter logs.

To configure a one-arm sniffer policy in the CLI:
  1. Configure the interface:

    config system interface
        edit "s1"
            set vdom "root"
            set ips-sniffer-mode enable
            set type physical
            set role undefined
            set snmp-index 31
        next
    end
  2. Configure the file filter profile:

    config file-filter profile
        edit "sniffer-profile"
            set comment "File type inspection."
            config rules
                edit "1"
                    set protocol http ftp smtp imap pop3 cifs
                    set action block
                    set file-type "pdf" "rar"
                next
            end
        next
    end
  3. Configure the firewall sniffer policy:

    config firewall sniffer
        edit 1
            set interface "s1"
            set file-filter-profile-status enable
            set file-filter-profile "sniffer-profile"
        next
    end
  4. View the log:

    # execute log filter category  19
    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20 srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1" dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile" direction="outgoing" action="blocked" rulename="1" filename="hello.pdf" filesize=9539 filetype="pdf" msg="File was blocked by file filter."