Network Tap (SPAN port) on FortiGate 100D (FortiOS 4.0MR3)

fortigatefortinetnetworkingport-mirroring

I'm dealing with a FortiGate 100D for the first time, and am scratching my head as there doesn't seem to be an easy way to mirror ports in the switch; which is really a facility that I presumed it would provide.

Ideally, I want to mirror one (or more) ports to another port, so that I can track the traffic that is flowing through it.

i.e.

mirror WAN1 to an internal port
mirror an internal port to a different internal port
etc.

I could do it with a passive network tap, of course; but it seems really strange to me that the 100D doesn't seem to expose an easy way to do this.

I'm new to the hardware/FortiOS, though — so possibly I am simply missing something obvious.

Many thanks if someone can point me in the direction of how to set this up on FortiOS/FortiGate.

Best Answer

From the FortiOS CLI reference, under system > switch-interface:

config system switch-interface
  edit <group_name>
    set member <iflist>
    set span {enable | disable}
    set span-dest-port <portnum>
    set span-direction {rx | tx | both}
    set span-source-port <portlist>
    set type {hub | switch | hardware-switch}
    set vdom <vdom_name>
  end

Related Solutions

10GbE sfp+ cross over cable required? Is there such a thing

The "crossover" is already built in to these cables. When working with cables like these you don't have a concept of a DTE side and DCE side as you do with ethernet cables. On a typical ethernet cable the DTE(terminal) side will have transmit on pins 1 and 2, with receive on pins 3 and 6. The DCE(switch) side or the other end of that cable will be flipped with transmit on 3 and 6 and receive on 1 and 2. These direct attach cables are built with the transmit of one side built already connected to the receive of the other.

Firewall – Fortinet multiple WAN IP to several ports

I am assuming you want to continue to address your VPN gateway on IP address 1.1.1.1 as you do not want to make changes to every single client configuration. If this is the case, then you will have to use port-forwarding to forward traffic to the VPN device. The example below is for forwarding IPsec (UDP/500), but you can adapt it to forward SSL, etc. Note, your VPN appliance may also need to have NAT-T enabled in order for IKE traffic to traverse the firewall.

The below example assumes you have your VPN appliance plugged into one of the firewall's internal switch ports, but you can adapt the interface names as necessary (I have not tested this configuration).

interface configuration

config system interface
    edit "wan1"
        set ip 1.1.1.1 255.255.255.248
        ...
    next
    ...
    edit "internal"
        set ip 192.168.1.254 255.255.255.0
        ...
    next
end

default route

config router static
    edit XX
        set device "wan1"
        set gateway 1.1.1.6 #your Internet gateway IP
    next
    ...
end

port forward VIP

config firewall vip
    edit "VIP_IPsec"
        set extintf "wan1"
        set portforward enable
        set mappedip 192.168.1.1 #internal IP assigned to your RV082
        set protocol udp
        set extport 500
        set mappedport 500
    next
    ...
end

port forward firewall policy

config firewall policy
    edit XX
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "ip_192.168.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit XX
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "VIP_IPsec"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    ...
end

Once you do this, in theory the firewall will forward all requests on 1.1.1.1:500 to the VPN appliance and the reverse traffic will be NATed out of 1.1.1.1.

See how you go with that..

-- ab1

P.S. Not sure if you considered this, but your Fortigate firewall arguably has a more advanced VPN capability than the Linksys appliance and it might make sense to migrate..