Fortinet black logo

Administration Guide

Configuring traffic mirror

Configuring traffic mirror

In Reverse Proxy and True Transparent Proxy modes, you can configure FortiWeb to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring.

In Reverse Proxy mode, traffic mirror on both virtual server and real server are supported; while in True Transparent Proxy mode, only traffic mirror of virtual server is supported.

Traffic mirror supports thee topologies of IDS/IPS:

  • Directly connect to a physical port of FortiWeb;
  • Connect to FortiWeb by the switch (destination MAC address is required);
  • Connect to FortiWeb through the network (IDS/IPS operates in server mode).

Accordingly, three modes for traffic mirror are available:

  • Direct mode
  • Switch mode
  • Server mode

Enabling traffic mirror

Before you can begin configuring traffic mirror, you have to enable it. By default, traffic mirror is disabled.

To enable traffic mirror
  1. Go to System > Config > Feature Visibility.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.

  3. Enable Traffic Mirror.
  4. Click Apply.

Creating a traffic mirror rule

To create a traffic mirror rule

tooltip icon

If traffic mirror is not enabled in Feature Visibility, you must enable it before you can create a traffic mirror rule. To enable traffic mirror, go to System > Config > Feature Visibility and enable Traffic Mirror.

  1. Go to Server Objects > Traffic Mirror.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.

  3. Click Create New.
  4. Enter a name that can be referenced by other parts of the configuration for the policy.
  5. Click OK.
  6. Click Create New.
  7. Configure these settings:
  8. Mode Three modes are available here:
    • Direct: the mirrored packets are directly sent to IPS/IDS devices.
    • Switch: the mirrored packets are sent to IPS/IDS devices through the switch.
    • Server: the mirrored packets are sent to the designated IP of IPS/IDS devices.
    With different mode, you need to configure the following respectively.
    Interface For Direct mode, select the FortiWeb port to connect to IPS/IDS device.
    For Switch mode, select the FortiWeb port to connect to the switch.
    Destination Mac Only for Switch mode, type the MAC of IPS/IDS interface, where the traffic from FortiWeb goes to.
    Server IP Only for Server mode, enter the designated IP of IPS/IDS devices.
    Server Port Only for Server mode, enter the HTTP port that the IPS/IDS devices can listen to.
  9. Click OK.
    For a traffic mirror policy, you can set multiple rules.

Configuring a traffic mirror policy

To apply a mirror policy rule to the policy

  1. Go to Policy > Server Policy.
  2. In Network Configuration section, enable Traffic Mirror.
  3. Configure these settings:
    Traffic Mirror Policy Select the traffic mirror policy you have created to determine which policy to apply to the connection.
    Traffic Mirror Type For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices.
    For Reverse Proxy mode:
    • Client Side:only allow traffic from client side to be sent to IPS/IDS devices.
    • Server Side: only allow traffic from server side to be sent to IPS/IDS devices.
    • Client and Server: allow traffic from both client and server sides to be sent to IPS/IDS devices.
  4. Click OK.

Configuring traffic mirror

In Reverse Proxy and True Transparent Proxy modes, you can configure FortiWeb to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring.

In Reverse Proxy mode, traffic mirror on both virtual server and real server are supported; while in True Transparent Proxy mode, only traffic mirror of virtual server is supported.

Traffic mirror supports thee topologies of IDS/IPS:

  • Directly connect to a physical port of FortiWeb;
  • Connect to FortiWeb by the switch (destination MAC address is required);
  • Connect to FortiWeb through the network (IDS/IPS operates in server mode).

Accordingly, three modes for traffic mirror are available:

  • Direct mode
  • Switch mode
  • Server mode

Enabling traffic mirror

Before you can begin configuring traffic mirror, you have to enable it. By default, traffic mirror is disabled.

To enable traffic mirror
  1. Go to System > Config > Feature Visibility.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.

  3. Enable Traffic Mirror.
  4. Click Apply.

Creating a traffic mirror rule

To create a traffic mirror rule

tooltip icon

If traffic mirror is not enabled in Feature Visibility, you must enable it before you can create a traffic mirror rule. To enable traffic mirror, go to System > Config > Feature Visibility and enable Traffic Mirror.

  1. Go to Server Objects > Traffic Mirror.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.

  3. Click Create New.
  4. Enter a name that can be referenced by other parts of the configuration for the policy.
  5. Click OK.
  6. Click Create New.
  7. Configure these settings:
  8. Mode Three modes are available here:
    • Direct: the mirrored packets are directly sent to IPS/IDS devices.
    • Switch: the mirrored packets are sent to IPS/IDS devices through the switch.
    • Server: the mirrored packets are sent to the designated IP of IPS/IDS devices.
    With different mode, you need to configure the following respectively.
    Interface For Direct mode, select the FortiWeb port to connect to IPS/IDS device.
    For Switch mode, select the FortiWeb port to connect to the switch.
    Destination Mac Only for Switch mode, type the MAC of IPS/IDS interface, where the traffic from FortiWeb goes to.
    Server IP Only for Server mode, enter the designated IP of IPS/IDS devices.
    Server Port Only for Server mode, enter the HTTP port that the IPS/IDS devices can listen to.
  9. Click OK.
    For a traffic mirror policy, you can set multiple rules.

Configuring a traffic mirror policy

To apply a mirror policy rule to the policy

  1. Go to Policy > Server Policy.
  2. In Network Configuration section, enable Traffic Mirror.
  3. Configure these settings:
    Traffic Mirror Policy Select the traffic mirror policy you have created to determine which policy to apply to the connection.
    Traffic Mirror Type For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices.
    For Reverse Proxy mode:
    • Client Side:only allow traffic from client side to be sent to IPS/IDS devices.
    • Server Side: only allow traffic from server side to be sent to IPS/IDS devices.
    • Client and Server: allow traffic from both client and server sides to be sent to IPS/IDS devices.
  4. Click OK.