This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port mirroring

Hi there,

Want to deploy a monitoring server to visualize and monitor network traffic and behavior in the network.
Therefore I started to try use iptables to configure (port) mirroring.

iptabes -I POSTROUTING -t mangle ! -s 127.0.0.1 -J TEE --gateway 12.34.56.78
iptabes -I PREROUTING -t mangle ! -s 127.0.0.1 -J TEE --gateway 12.34.56.78

Unfortunately by adding these rules a high CPU utilization by the IDS (snort) process is observed. Nothing helpful can be found in the log files. Any other suggestions regarding mirroring traffic in user space or kernel space will be appreciated!

Regards,

Ilias.

This thread was automatically locked due to age.

Parents

0 lferrara over 6 years ago

IeM,

XG can be deployed in TAP mode using wizard. Do not use custom commands like you did.

community.sophos.com/.../122971

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 IeM over 6 years ago in reply to lferrara

Hi,

That’s not for what I am looking for. That article describes to deploy XG in discover mode using a TAP interface with the specific goal: generate security reports from the XG.

I also read that I need to enable port mirroring on the switch. But doing that is not what I am looking for. Especially because switches with span/mirror ports always give ‘other’ traffic priority and this can lead to missing packets. Someting that’s very crucial when it becomes to mirroring.
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 6 years ago in reply to IeM

IeM, sorry but I did not understand the question.

Can you explain better your goal?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 6 years ago in reply to IeM

IeM, sorry but I did not understand the question.

Can you explain better your goal?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 IeM over 6 years ago in reply to lferrara

Hi Luk,

All traffic that is being processed (in- and outgoing) should be copied/duplicated to another (monitoring) machine in the network. This should be done on IP address level. Normally this could be established by using iptables and mangle/tee.

Regards

Ilias
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 6 years ago in reply to IeM

Ok, so you wish to mirror traffic processed by XG to another appliance, correct?

This is not possible.

Please vote the feature request:

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13315812-decryption-port-mirroring

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 IeM over 6 years ago in reply to lferrara

Hi,

Thanks for pointing to the feature request.

But I keep this post open as:

- I am aware that it should be possible to arrange this in the mean time in user space (or probably kernel space);

- Feature request is almost two years open.

Regards,

Ilias.
Cancel
Vote Up 0 Vote Down

Cancel