Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port mirroring

Hi there,

Want to deploy a monitoring server to visualize and monitor network traffic and behavior in the network.
Therefore I started to try use iptables to configure (port) mirroring.

iptabes -I POSTROUTING -t mangle ! -s 127.0.0.1 -J TEE --gateway 12.34.56.78
iptabes -I PREROUTING -t mangle ! -s 127.0.0.1  -J TEE --gateway 12.34.56.78

Unfortunately by adding these rules a high CPU utilization by the IDS (snort) process is observed. Nothing helpful can be found in the log files. Any other suggestions regarding mirroring traffic in user space or kernel space will be appreciated!

Regards,

Ilias.



This thread was automatically locked due to age.
Parents Reply
  • Hi Luk,

    All traffic that is being processed (in- and outgoing) should be copied/duplicated to another (monitoring) machine in the network. This should be done on IP address level. Normally this could be established by using iptables and mangle/tee.

    Regards

    Ilias

Children