Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.4.5 FortiLink Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Configuring FortiSwitch port mirroring

    Configuring FortiSwitch port mirroring

    The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

    Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have one RSPAN session or one ERSPAN session.

    In RSPAN mode, traffic is encapsulated in VLAN 4092 and sent toward the FortiGate device, where it can be captured using packet capture. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

    In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which is the device acting as an ERSPAN collector. The collector must be reachable by the FortiSwitch unit using IPv4 ICMP ping (NOTE: A firewall policy might be required on the FortiGate device.). If the collector IP address is not specified, the traffic is not mirrored.

    NOTE: ERSPAN cannot be used with SPAN or RSPAN.

    When you are using RSPAN or ERSPAN, the switch controller automatically configures a policer to limit the traffic. For example:

    config switch-controller traffic-policy

    edit "sniffer"

    set description "Rate control for sniffer mirrored traffic"

    set guaranteed-bandwidth 50000

    set guaranteed-burst 8192

    set maximum-burst 163840

    set cos-queue 0

    next

    end

    config system interface

    edit "rspan"

    set switch-controller-traffic-policy "sniffer"

    next

    end

    Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support the policer.

    To configure FortiSwitch port-based mirroring:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config mirror

    edit <mirror_name>

    set status {active | inactive} // Required

    set dst <port_name> // Required

    set switching-packet {enable | disable}

    set src-ingress <port_name>

    set src-egress <port_name>

    next

    end

    next

    In the following example, the ingress traffic from port2 and port3 and the egress traffic from port4 and port5 are mirrored to port1, where the traffic-monitoring device is connected.

    config switch-controller managed-switch

    edit S524DF4K15000024

    config mirror

    edit 2

    set status active

    set dst port1

    set switching-packet enable

    set src-ingress port2 port3

    set src-egress port4 port5

    next

    end

    next

    To configure FortiSwitch RSPAN:

    config switch-controller traffic-sniffer

    set mode rspan

    config target-mac

    edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

    set description <string>

    end

    config target-ip

    edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

    set description <string>

    end

    config target-port

    edit <FortiSwitch_serial_number>

    set description <string>

    set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

    set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

    end

    end

    In the following example, traffic matching any of the target-mac, target-ip, and target-port parameters is captured.

    To monitor the traffic on a FortiGate device, go to Network > Diagnostics > Packet Capture and capture the traffic on the “rspan” VLAN. The traffic can also be downloaded as a PCAP file. For more details, see Using the packet capture tool.

    config switch-controller traffic-sniffer

    set mode rspan

    config target-mac

    edit 00:00:00:aa:bb:cc

    set description MACtarget1

    end

    config target-ip

    edit 10.254.254.192

    set description IPtarget1

    end

    config target-port

    edit S524DF4K15000024

    set description PortTargets1

    set in-ports port5 port6 port7

    set out-ports port10

    end

    end

    To configure FortiSwitch ERSPAN:

    config switch-controller traffic-sniffer

    set mode erspan-auto

    set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

    config target-mac

    edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent from this MAC address

    set description <string>

    end

    config target-ip

    edit <xxx.xxx.xxx.xxx> // mirror traffic sent from this IPv4 address

    set description <string>

    end

    config target-port

    edit <FortiSwitch_serial_number>

    set description <string>

    set in-ports <portx porty portz ...> // mirror traffic sent to these ports

    set out-ports <portx porty portz ...> // mirror traffic sent from these ports

    end

    end

    For example:

    config switch-controller traffic-sniffer

    set mode erspan-auto

    set erspan-ip 10.255.12.201

    config target-mac

    edit 00:00:00:aa:bb:cc

    set description MACtarget1

    end

    config target-ip

    edit 10.254.254.192

    set description IPtarget1

    end

    config target-port

    edit S524DF4K15000024

    set description PortTargets1

    set in-ports port5 port6 port7

    set out-ports port10

    end

    end

    To disable FortiSwitch port mirroring:

    config switch-controller traffic-sniffer

    set mode none

    end

    Previous
    Next

    Configuring FortiSwitch port mirroring

    Configuring FortiSwitch port mirroring

    The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

    Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have one RSPAN session or one ERSPAN session.

    In RSPAN mode, traffic is encapsulated in VLAN 4092 and sent toward the FortiGate device, where it can be captured using packet capture. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

    In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which is the device acting as an ERSPAN collector. The collector must be reachable by the FortiSwitch unit using IPv4 ICMP ping (NOTE: A firewall policy might be required on the FortiGate device.). If the collector IP address is not specified, the traffic is not mirrored.

    NOTE: ERSPAN cannot be used with SPAN or RSPAN.

    When you are using RSPAN or ERSPAN, the switch controller automatically configures a policer to limit the traffic. For example:

    config switch-controller traffic-policy

    edit "sniffer"

    set description "Rate control for sniffer mirrored traffic"

    set guaranteed-bandwidth 50000

    set guaranteed-burst 8192

    set maximum-burst 163840

    set cos-queue 0

    next

    end

    config system interface

    edit "rspan"

    set switch-controller-traffic-policy "sniffer"

    next

    end

    Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support the policer.

    To configure FortiSwitch port-based mirroring:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config mirror

    edit <mirror_name>

    set status {active | inactive} // Required

    set dst <port_name> // Required

    set switching-packet {enable | disable}

    set src-ingress <port_name>

    set src-egress <port_name>

    next

    end

    next

    In the following example, the ingress traffic from port2 and port3 and the egress traffic from port4 and port5 are mirrored to port1, where the traffic-monitoring device is connected.

    config switch-controller managed-switch

    edit S524DF4K15000024

    config mirror

    edit 2

    set status active

    set dst port1

    set switching-packet enable

    set src-ingress port2 port3

    set src-egress port4 port5

    next

    end

    next

    To configure FortiSwitch RSPAN:

    config switch-controller traffic-sniffer

    set mode rspan

    config target-mac

    edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

    set description <string>

    end

    config target-ip

    edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

    set description <string>

    end

    config target-port

    edit <FortiSwitch_serial_number>

    set description <string>

    set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

    set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

    end

    end

    In the following example, traffic matching any of the target-mac, target-ip, and target-port parameters is captured.

    To monitor the traffic on a FortiGate device, go to Network > Diagnostics > Packet Capture and capture the traffic on the “rspan” VLAN. The traffic can also be downloaded as a PCAP file. For more details, see Using the packet capture tool.

    config switch-controller traffic-sniffer

    set mode rspan

    config target-mac

    edit 00:00:00:aa:bb:cc

    set description MACtarget1

    end

    config target-ip

    edit 10.254.254.192

    set description IPtarget1

    end

    config target-port

    edit S524DF4K15000024

    set description PortTargets1

    set in-ports port5 port6 port7

    set out-ports port10

    end

    end

    To configure FortiSwitch ERSPAN:

    config switch-controller traffic-sniffer

    set mode erspan-auto

    set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

    config target-mac

    edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent from this MAC address

    set description <string>

    end

    config target-ip

    edit <xxx.xxx.xxx.xxx> // mirror traffic sent from this IPv4 address

    set description <string>

    end

    config target-port

    edit <FortiSwitch_serial_number>

    set description <string>

    set in-ports <portx porty portz ...> // mirror traffic sent to these ports

    set out-ports <portx porty portz ...> // mirror traffic sent from these ports

    end

    end

    For example:

    config switch-controller traffic-sniffer

    set mode erspan-auto

    set erspan-ip 10.255.12.201

    config target-mac

    edit 00:00:00:aa:bb:cc

    set description MACtarget1

    end

    config target-ip

    edit 10.254.254.192

    set description IPtarget1

    end

    config target-port

    edit S524DF4K15000024

    set description PortTargets1

    set in-ports port5 port6 port7

    set out-ports port10

    end

    end

    To disable FortiSwitch port mirroring:

    config switch-controller traffic-sniffer

    set mode none

    end

    Previous
    Next