Fortinet black logo

CLI Reference

server policy traffic mirror

server policy traffic-mirror

Use this command to configure FortiWeb to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring in Reverse Proxy and True Transparent Proxy modes.

See system feature-visibility for how to enable traffic mirror first.

Syntax

config server-policy traffic-mirror

edit "<traffic-mirror_name>"

config mirror-rule

edit mirror-rule <mirror-rule_str>

set mode {direct | switch | server}

set interface <interface_int>

set destination-mac <destination-mac_str>

set server-ip <server-ip_str>

set server-port <server-port_int>

next

end

next

end

Variable Description Default

"<traffic-mirror_name>"

Enter a name for the traffic mirror policy.

No default.

mirror-rule <mirror-rule_str>

Select the sequence number of the mirror rule created. No default.

mode {direct | switch | server}

Select one of the three modes:
  • Direct—the mirrored packets are directly sent to IPS/IDS devices.
  • Switch—the mirrored packets are sent to IPS/IDS devices through the switch.
  • Server—the mirrored packets are sent to the designated IP of IPS/IDS devices.
direct

interface <interface_int>

When the mode is Direct, select one FortiWeb port to connect to IPS/IDS device.
When the mode is Switch, select one FortiWeb port to connect to the switch.
No default.

destination-mac <destination-mac_str>

Type the MAC of IPS/IDS interface, where the traffic from FortiWeb goes to. Available only when mode {direct | switch | server} is Switch. No default.

server-ip <server-ip_str>

Enter the designated IP of IPS/IDS devices. Available only when mode {direct | switch | server} is Server. No default.

server-port <server-port_int>

Enter the HTTP port that the IPS/IDS devices can listen to. Available only when mode {direct | switch | server} is Server. No default.

Example

This example configures a traffic mirror policy.

config server-policy traffic-mirror

edit policy1

config mirror-rule

edit 2

set mode direct

set interface port1

end

next

end

Related topics

server policy traffic-mirror

Use this command to configure FortiWeb to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring in Reverse Proxy and True Transparent Proxy modes.

See system feature-visibility for how to enable traffic mirror first.

Syntax

config server-policy traffic-mirror

edit "<traffic-mirror_name>"

config mirror-rule

edit mirror-rule <mirror-rule_str>

set mode {direct | switch | server}

set interface <interface_int>

set destination-mac <destination-mac_str>

set server-ip <server-ip_str>

set server-port <server-port_int>

next

end

next

end

Variable Description Default

"<traffic-mirror_name>"

Enter a name for the traffic mirror policy.

No default.

mirror-rule <mirror-rule_str>

Select the sequence number of the mirror rule created. No default.

mode {direct | switch | server}

Select one of the three modes:
  • Direct—the mirrored packets are directly sent to IPS/IDS devices.
  • Switch—the mirrored packets are sent to IPS/IDS devices through the switch.
  • Server—the mirrored packets are sent to the designated IP of IPS/IDS devices.
direct

interface <interface_int>

When the mode is Direct, select one FortiWeb port to connect to IPS/IDS device.
When the mode is Switch, select one FortiWeb port to connect to the switch.
No default.

destination-mac <destination-mac_str>

Type the MAC of IPS/IDS interface, where the traffic from FortiWeb goes to. Available only when mode {direct | switch | server} is Switch. No default.

server-ip <server-ip_str>

Enter the designated IP of IPS/IDS devices. Available only when mode {direct | switch | server} is Server. No default.

server-port <server-port_int>

Enter the HTTP port that the IPS/IDS devices can listen to. Available only when mode {direct | switch | server} is Server. No default.

Example

This example configures a traffic mirror policy.

config server-policy traffic-mirror

edit policy1

config mirror-rule

edit 2

set mode direct

set interface port1

end

next

end

Related topics