This is a work in progress, I will be... Full Story
By Manny Fernandez
February 3, 2021
Port Mirroring on FortiLink’d FortiSwitch
Customer Use Case: Customer has some UCAAS voice solution. They want to be able to record phone calls for wire transfers to ensure they can go back in case of any discrepancies.
Environment: Small bank with multiple branches. Each branch has FortiGate 30Es and minimum of 3 FortiSwitches. Customer is using Layer 2 MetroEthernet as their main Internet and intra-office communication medium and broadband for fail-over Internet access and failover access to the datacenter using route-based VPNs. OSPF across the ME and VPN.
Customer needed to be able to mirror the traffic from their “wires” department to a Voice recording solution on-prem.
Enter the switch configuration for the FortiSwitch managed by the FortiGate (Serial Number has been obscured to protect the innocent)
This configuration is only available via the command line.
config switch-controller managed-switch
edit "S248EFTXXXXXXX2
Now we will configure the specifics for what we want to mirror
You will need to enter the mirror configuration mode by typing config mirror
Then you will create a new instance name (similar to Cisco’s session on IOS)
set dst port8 set src-ingress port31 port18 port19 port36 set src-egress port31 port18 port19 port36 set status active
As you can see above, we are going to mirror ports 18,19,31 & 36 to port8
Make sure you type end until you are returned to the default prompt to ensure your work is saved.
Limitation:
Currently, there is no way to choose an entire VLAN as the source interface which I would like to see Fortinet add as a feature. It should not be an overhead issue since all we are doing is copying the packet to a second port other than the corresponding port wit the destination MAC address so thinking it is just an oversight.
I wrote a previous post showing how to do this in the Cisco switches.
Here is the finished config
miami-fw-01 (voice-mirror) # show
config mirror
edit "voice-mirror"
set status active
set dst "port8"
set src-ingress "port31" "port18" "port19" "port36"
set src-egress "port31" "port18" "port19" "port36"
next
end
Hope this helps.
Recent posts
-
-
I have been playing with the free version of... Full Story
-
In my day job, I am on a lot... Full Story