Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.0.1 Administration Guide
    7.0.1
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Network monitoring

    Network monitoring

    You can monitor specific unicast MAC addresses in directed mode, monitor all detected MAC addresses on a FortiSwitch unit in survey mode, or do both. The FortiSwitch unit gives the directed mode a higher priority than survey mode. The directed mode and survey mode are disabled by default.

    NOTE: Network monitoring is not available on FSR-112D-POE.

    This section covers the following topics:

    Directed mode

    In directed mode, you select which unicast MAC addresses that you want examined. The FortiSwitch unit detects various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of two databases.

    NOTE: You cannot specify broadcast or multicast MAC addresses.

    The maximum number of MAC addresses that can be monitored depends on the FortiSwitch model.

    Platform Series

    Maximum Number of MAC Addresses Monitored

    Maximum Number of Hosts

    1xx, 2xx

    10

    250

    4xx, 5xx

    20

    1,024

    10xx, 30xx

    30

    4,096

    To find out how many network monitors are available, use the following command:

    diagnose switch network-monitor cfg-stats

    Network Monitor Configuration Statistics:

    ----------------------------------

    Adds : 0

    Deletes : 0

    Free Entries : 20

    To find out which network monitors are being used currently, use the following command:

    diagnose switch network-monitor dump-monitors

    Entry ID       Monitor Type       Monitor MAC      Packet-count
=================================================================
1               directed-mode   00:01:02:03:04:05       10
2               directed-mode   10:01:02:03:04:05       0
3               survey-mode     08:5b:0e:c1:07:65       419
4               survey-mode     08:5b:0e:4f:af:38       101
5               survey-mode     08:5b:0e:ce:59:40       2347
6               survey-mode     08:5b:0e:4f:af:44       0
7               survey-mode     08:5b:0e:c1:07:65       0
8               survey-mode     08:5b:0e:4f:af:38       80
9               survey-mode     08:5b:0e:ce:59:40       117
10              survey-mode     08:5b:0e:4f:af:44       0

    To start network monitoring, use the following commands:

    config switch network-monitor settings

    set status enable

    end

    To specify a single unicast MAC address (formatted like this: xx:xx:xx:xx:xx:xx) to be monitored, use the following commands:

    config switch network-monitor directed

    edit <unused network monitor>

    set monitor-mac <MAC address>

    next

    end

    For example:

    config switch network-monitor directed

    edit 1

    set monitor-mac 00:25:00:61:64:6d

    next

    end

    Survey mode

    In survey mode, the FortiSwitch unit detects MAC addresses to monitor for a specified number of seconds. You can specify network monitoring for 120 to 3,600 seconds. The default time is 120 seconds. The FortiSwitch unit detects various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of two databases.

    To start network monitoring in survey mode, use the following commands:

    config switch network-monitor settings

    set status enable

    set survey-mode enable

    set survey-mode-interval <120-3600 seconds>

    end

    For example:

    config switch network-monitor settings

    set status enable

    set survey-mode enable

    set survey-mode-interval 480

    end

    Network monitoring statistics

    After you have enabled network monitoring, you can view the statistics for the number and types of packets.

    To see the type of packets going to and from monitored MAC addresses, use the following command:

    diagnose switch network-monitor parser-stats

    Network Monitor Parser Statistics:

    ----------------------------------

    Arp : 0

    Ip : 1

    Udp : 46

    Tcp : 353

    Dhcp : 0

    Eapol : 0

    Unsupported : 352

    To see the number of packets going to and from monitored MAC addresses, use the following command:

    diagnose switch network-monitor dump-monitors

    Entry ID       Monitor Type       Monitor MAC      Packet-count
=================================================================
1               directed-mode   00:01:02:03:04:05       10
2               directed-mode   10:01:02:03:04:05       0
3               survey-mode     08:5b:0e:c1:07:65       419
4               survey-mode     08:5b:0e:4f:af:38       101
5               survey-mode     08:5b:0e:ce:59:40       2347
6               survey-mode     08:5b:0e:4f:af:44       0
7               survey-mode     08:5b:0e:c1:07:65       0
8               survey-mode     08:5b:0e:4f:af:38       80
9               survey-mode     08:5b:0e:ce:59:40       117
10              survey-mode     08:5b:0e:4f:af:44       0

    NOTE: The FortiSwitch unit creates an entry in the layer-3 database using the exact packet contents when they were parsed. If the MAC address is then assigned to a different VLAN, this change might not be detected immediately. If there is a discrepancy in the output for the diagnose switch network-monitor dump-l2-db and diagnose switch network-monitor dump-l3-db commands, use the output with the more recent time stamp.

    To see all detected devices from the layer-2 database, use the following command:

    diagnose switch network-monitor dump-l2-db

    mac 00:01:02:03:04:05 vlan 1

    created 19 secs ago, last seen 16 secs ago

    user JoE sources: eapol

    To see all detected devices from the IP address database, use the following command:

    diagnose switch network-monitor dump-l3-db

    mac 08:5b:0e:c1:07:65 ip 169.254.2.2 vlan 4094

    created 63614 secs ago, last seen 2 secs ago

    sources: arp ip

    mac 00:10:20:30:40:50 ip 10.10.10.111 vlan 123

    created 75 secs ago, last seen 45 secs ago

    sources: arp ip

    mac 00:11:22:33:44:55 ip 30.30.30.115 vlan 1

    created 53 secs ago, last seen 53 secs ago

    sources: dhcp arp ip

    Previous
    Next

    Network monitoring

    Network monitoring

    You can monitor specific unicast MAC addresses in directed mode, monitor all detected MAC addresses on a FortiSwitch unit in survey mode, or do both. The FortiSwitch unit gives the directed mode a higher priority than survey mode. The directed mode and survey mode are disabled by default.

    NOTE: Network monitoring is not available on FSR-112D-POE.

    This section covers the following topics:

    Directed mode

    In directed mode, you select which unicast MAC addresses that you want examined. The FortiSwitch unit detects various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of two databases.

    NOTE: You cannot specify broadcast or multicast MAC addresses.

    The maximum number of MAC addresses that can be monitored depends on the FortiSwitch model.

    Platform Series

    Maximum Number of MAC Addresses Monitored

    Maximum Number of Hosts

    1xx, 2xx

    10

    250

    4xx, 5xx

    20

    1,024

    10xx, 30xx

    30

    4,096

    To find out how many network monitors are available, use the following command:

    diagnose switch network-monitor cfg-stats

    Network Monitor Configuration Statistics:

    ----------------------------------

    Adds : 0

    Deletes : 0

    Free Entries : 20

    To find out which network monitors are being used currently, use the following command:

    diagnose switch network-monitor dump-monitors

    Entry ID       Monitor Type       Monitor MAC      Packet-count
=================================================================
1               directed-mode   00:01:02:03:04:05       10
2               directed-mode   10:01:02:03:04:05       0
3               survey-mode     08:5b:0e:c1:07:65       419
4               survey-mode     08:5b:0e:4f:af:38       101
5               survey-mode     08:5b:0e:ce:59:40       2347
6               survey-mode     08:5b:0e:4f:af:44       0
7               survey-mode     08:5b:0e:c1:07:65       0
8               survey-mode     08:5b:0e:4f:af:38       80
9               survey-mode     08:5b:0e:ce:59:40       117
10              survey-mode     08:5b:0e:4f:af:44       0

    To start network monitoring, use the following commands:

    config switch network-monitor settings

    set status enable

    end

    To specify a single unicast MAC address (formatted like this: xx:xx:xx:xx:xx:xx) to be monitored, use the following commands:

    config switch network-monitor directed

    edit <unused network monitor>

    set monitor-mac <MAC address>

    next

    end

    For example:

    config switch network-monitor directed

    edit 1

    set monitor-mac 00:25:00:61:64:6d

    next

    end

    Survey mode

    In survey mode, the FortiSwitch unit detects MAC addresses to monitor for a specified number of seconds. You can specify network monitoring for 120 to 3,600 seconds. The default time is 120 seconds. The FortiSwitch unit detects various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of two databases.

    To start network monitoring in survey mode, use the following commands:

    config switch network-monitor settings

    set status enable

    set survey-mode enable

    set survey-mode-interval <120-3600 seconds>

    end

    For example:

    config switch network-monitor settings

    set status enable

    set survey-mode enable

    set survey-mode-interval 480

    end

    Network monitoring statistics

    After you have enabled network monitoring, you can view the statistics for the number and types of packets.

    To see the type of packets going to and from monitored MAC addresses, use the following command:

    diagnose switch network-monitor parser-stats

    Network Monitor Parser Statistics:

    ----------------------------------

    Arp : 0

    Ip : 1

    Udp : 46

    Tcp : 353

    Dhcp : 0

    Eapol : 0

    Unsupported : 352

    To see the number of packets going to and from monitored MAC addresses, use the following command:

    diagnose switch network-monitor dump-monitors

    Entry ID       Monitor Type       Monitor MAC      Packet-count
=================================================================
1               directed-mode   00:01:02:03:04:05       10
2               directed-mode   10:01:02:03:04:05       0
3               survey-mode     08:5b:0e:c1:07:65       419
4               survey-mode     08:5b:0e:4f:af:38       101
5               survey-mode     08:5b:0e:ce:59:40       2347
6               survey-mode     08:5b:0e:4f:af:44       0
7               survey-mode     08:5b:0e:c1:07:65       0
8               survey-mode     08:5b:0e:4f:af:38       80
9               survey-mode     08:5b:0e:ce:59:40       117
10              survey-mode     08:5b:0e:4f:af:44       0

    NOTE: The FortiSwitch unit creates an entry in the layer-3 database using the exact packet contents when they were parsed. If the MAC address is then assigned to a different VLAN, this change might not be detected immediately. If there is a discrepancy in the output for the diagnose switch network-monitor dump-l2-db and diagnose switch network-monitor dump-l3-db commands, use the output with the more recent time stamp.

    To see all detected devices from the layer-2 database, use the following command:

    diagnose switch network-monitor dump-l2-db

    mac 00:01:02:03:04:05 vlan 1

    created 19 secs ago, last seen 16 secs ago

    user JoE sources: eapol

    To see all detected devices from the IP address database, use the following command:

    diagnose switch network-monitor dump-l3-db

    mac 08:5b:0e:c1:07:65 ip 169.254.2.2 vlan 4094

    created 63614 secs ago, last seen 2 secs ago

    sources: arp ip

    mac 00:10:20:30:40:50 ip 10.10.10.111 vlan 123

    created 75 secs ago, last seen 45 secs ago

    sources: arp ip

    mac 00:11:22:33:44:55 ip 30.30.30.115 vlan 1

    created 53 secs ago, last seen 53 secs ago

    sources: dhcp arp ip

    Previous
    Next