One–armed sniffer
A one-armed sniffer is used to configure a physical interface on the FortiGate unit as a one-arm intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured IPS sensor and application control list. Matches are logged and then all received traffic is dropped. Sniffing only reports on attacks. It does not deny or otherwise influence traffic.
Using the one-arm sniffer, you can configure a FortiGate unit to operate as an IDS appliance by sniffing network traffic for attacks without actually processing the packets. To configure one-arm IDS, you enable sniffer mode on a FortiGate interface and connect the interface to a hub or to the SPAN port of a switch that is processing network traffic.
To assign an interface as a sniffer interface, go to System > Network > Interface, edit the interface and select One-Arm Sniffer.
If the check box is not available, the interface is in use. Ensure that the interface is not selected in any firewall policies, routes, virtual IPs or other features in which a physical interface is specified.
Enable Filters Select to include filters to define a more granular sniff of network traffic.
Select specific addresses, ports, VLANs and protocols.
In all cases, enter a number, or number range, for the filtering type. For Pro- tocol values, standard protocols are:
- UDP – 17
- TCP – 6
- ICMP – 1
Include IPv6 Packets
If your network is running a combination of IPv4 and IPv6 addressing, select to sniff both addressing types. Otherwise, the FortiGate unit will only sniff IPv4 traffic.
Include Non-IP Packets Select for a more intense scan of content in the traffic.
UTM Security Profiles
IPS sensors, and application control lists enable you to select specific sensors and application you want to identify within the traffic.
Hello Dear,
I would like know if one-arm sniffer work with Vdom mode ? Per example, I have one Fortigate Firewall 3950B with four vdoms, but I don’t able that assign one interface for a specific vdom.
Sincerely,
Francisco Marques.
How do I send syslog messages for any traffic received on sniffer port?