Configuring the FortiOS one-arm sniffer
Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, you can use the FortiOS one-arm sniffer to configure a VLAN interface on a managed FortiSwitch unit as an intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured security profile. The matches are logged, and the unmatched sniffed traffic is not forwarded to the FortiGate device. Sniffing only reports on attacks; it does not deny or influence traffic.
Traffic scanned on the FortiOS one-arm sniffer interface is processed by the CPU. The FortiOS one-arm sniffer might cause higher CPU usage and perform at a lower level than traditional inline scanning.
The absence of high CPU usage does not indicate the absence of packet loss. Packet loss might occur due to the capacity of the TAP devices hitting maximum traffic volume during mirroring or, on the FortiGate device, when the kernel buffer size is exceeded and it is unable to handle bursts of traffic.
To configure the FortiOS one-arm sniffer in the CLI:
1. Specify the managed switch port to use to mirror traffic in RSPAN or ERSPAN mode.
2. Enable the FortiOS one-arm sniffer on the VLAN interface that will mirror traffic.
3. Configure the FortiOS one-arm sniffer in a firewall policy.
4. Generate traffic on the client.
5. Review the logs for the sniffer policy.
1. Specify the managed switch port to use to mirror traffic in RSPAN or ERSPAN mode
You can mirror traffic in RSPAN or ERSPAN mode on a layer-2 VLAN. Specify which ingress port you want to use for a mirroring source.
config switch-controller traffic-sniffer
set mode {rspan | erspan-auto}
config target-port
edit <FortiSwitch_serial_number>
set in-ports <port_name>
next
end
end
For example:
config switch-controller traffic-sniffer
set mode rspan
config target-port
edit S524DF4K15000024
set in-ports port6
next
end
end
2. Enable the FortiOS one-arm sniffer on the VLAN interface that will mirror traffic
After you enable ips-sniffer-mode, switch-controller-access-vlan and switch-controller-rspan-mode are enabled by default, and switch-controller-traffic-policy is set to sniffer by default.
config system interface
edit <interface_name>
set ips-sniffer-mode enable
set switch-controller-access-vlan enable
set switch-controller-traffic-policy sniffer
set switch-controller-rspan-mode enable
next
end
For example:
config system interface
edit rspan
set ips-sniffer-mode enable
set switch-controller-access-vlan enable
set switch-controller-traffic-policy sniffer
set switch-controller-rspan-mode enable
next
end
3. Configure the FortiOS one-arm sniffer in a firewall policy
Specify the same interface that you used in step 2. Enable the security profiles that you want to use and specify the sniffer-profile profile for each security profile. By default, all security profiles are disabled.
config firewall sniffer
edit <sniffer_ID>
set logtraffic {all | utm}
set interface <interface_name>
set av-profile-status {enable | disable}
set av-profile "sniffer-profile"
set webfilter-profile-status {enable | disable}
set webfilter-profile "sniffer-profile"
set application-list-status {enable | disable}
set application-list "sniffer-profile"
set ips-sensor-status {enable | disable}
set ips-sensor "sniffer-profile"
set file-filter-profile-status {enable | disable}
set file-filter-profile "sniffer-profile"
next
end
For example:
config firewall sniffer
edit 50
set logtraffic all
set interface rspan
set av-profile-status enable
set av-profile sniffer-profile
set webfilter-profile-status enable
set webfilter-profile sniffer-profile
set application-list-status enable
set application-list sniffer-profile
set ips-sensor-status enable
set ips-sensor sniffer-profile
set file-filter-profile-status enable
set file-filter-profile sniffer-profile
next
end
5. Review the logs for the sniffer policy
execute log display
Configuration example
The following example shows how a managed FortiSwitch unit mirrors traffic from a client and then sends the traffic to the FortiGate device for analysis. In this example, enable the FortiOS one-arm sniffer in the FortiOS CLI and then use the FortiOS GUI for the rest of the example.
-
Enable the FortiOS one-arm sniffer.
config system interface
edit "rspan.17"
set ips-sniffer-mode enable
set vdom root
set interface port11
set vlanid 4092
next
end
-
Go to Network > Interfaces.
-
Select rspan.17 (under port11) and click Edit.
-
Enable the security profiles that you want to use.
-
Click OK.
-
Generate traffic on the client.
-
Go to Log & Report > Sniffer Traffic.
The logs generated from the mirrored traffic are listed.
In the FortiOS CLI, use the
execute log displaycommand to view the logs:784 logs found.
10 logs returned.
1: date=2023-07-31 time=16:28:13 eventtime=1690846092971957519 tz="-0700" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1" srcip=5.4.4.2 srcport=51293 srcintf="rspan.17" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined" srccountry="Germany" dstcountry="United States" sessionid=784 proto=17 action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat" transip=0.0.0.0 transport=0 duration=180 sentbyte=70 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow" countapp=1 sentdelta=70 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6" srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50" dstmac="04:d5:90:bf:f3:50" dstserver=0
2: date=2023-07-31 time=16:27:39 eventtime=1690846059062169260 tz="-0700" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1" srcip=5.4.4.2 srcport=37800 srcintf="rspan.17" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined" srccountry="Germany" dstcountry="United States" sessionid=782 proto=17 action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat" transip=0.0.0.0 transport=0 duration=180 sentbyte=70 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow" countapp=1 sentdelta=70 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6" srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50" dstmac="04:d5:90:bf:f3:50" dstserver=0 utmref=0-6524
3: date=2023-07-31 time=16:27:39 eventtime=1690846059062027560 tz="-0700" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1" srcip=5.4.4.2 srcport=52702 srcintf="rspan.17" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined" srccountry="Germany" dstcountry="United States" sessionid=780 proto=17 action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat" transip=0.0.0.0 transport=0 duration=180 sentbyte=61 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow" countapp=1 sentdelta=61 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6" srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50" dstmac="04:d5:90:bf:f3:50" dstserver=0 utmref=0-6510