SSL traffic mirroring
FortiADC supports mirroring packets (HTTPS/TCPS) to specified network interfaces. When the feature is enabled, SSL traffic will be mirrored to the specified ports by the virtual server after it has been decrypted. See the following figures.
The feature supports both IPv4 and IPv6. FortiADC can send traffic to up to four outgoing interfaces, including aggregated and VLAN interfaces. Mirrored traffic is transmitted as a single packet stream, using the original client-side source and destination IP address and port numbers. The source and destination MAC addresses are 0 (zero) in mirrored traffic. The feature requires a virtual server set to Layer 7 or Layer 2, with a profile configured for HTTPS or TCPS. It is supported on all FortiADC platforms.
To configure SSL traffic mirroring
- Go to Virtual Server. Go to the far right and click Create New. You have to click Advanced Mode if you want traffic mirroring.
- In the Basic tab, go to Type, and set it to Layer 7.
- Then go to the General tab. Go under Resources to Profile.
- Select either LB_PROF_HTTPS (not just HTTP, without the 's') or LB_PROF_TCPS
- When you do this, SSL Traffic Mirror will appear as a tab to the right of General.
- Go to SSL Traffic Mirror and enable it.
- Click Save.
- Click Create New. Two options will drop down: Basic and Advanced.
Set the type to Layer 7.
Click on the Profile tab. It will drop down to reveal a list of options. Choose only between LB_PROF_TCPS and LB_PROF_HTTPS.
The SSL Mirror tab appears.
Go into it and enable traffic mirroring.
To enable this feature in a policy, execute the following command:
config load-balance virtual-server
set ssl-mirror enable
set ssl-mirror-intf port1 port2