FastNetMon has extremely solid support for port mirror capture, but standard port mirror or SPAN are both complicated to operate without direct connectivity between FastNetMon and routers.
In this case, a sampled or unsampled port mirror over GRE may be extremely helpful.
You need to explicitly enable GRE unpacking when you can guarantee that your environment is safe. Automated GRE stripping may have security implications, as an attacker may use GRE as an attack vector with private/your own IP addresses inside. In this case, FastNetMon will not be able to identify the attack properly.
sudo fcli set main af_packet_extract_tunnel_traffic enable sudo fcli commit
After this, you will need to send port mirror / SPAN over GRE to FastNetMon’s IP address. We recommend creating a separate interface (with increased MTU) from the management interface to avoid conflicts and potential issues.
Also, please keep in mind that GRE adds additional encapsulation headers to every packet, and GRE traffic will exceed 1500 bytes. Therefore, you need to be sure that all routers between FastNetMon and your routers will pass such a large MTU.
We have many successful deployments using Juniper’s capability to send port mirror over GRE, and all other vendors using standard encapsulation will work fine.
In addition to using 1:1 port mirror over GRE, you may consider another sampled version of it which significantly reduces the required CPU load on the machine with FastNetMon and dramatically decreases the requirement for bandwidth between the router and FastNetMon. You may start from some sampling like 1:1024 as a very safe option which offers great accuracy and extremely fast attack detection.
As sampled port mirror over GRE has no options to encode sampling rate in packet direction, you need to set it manually using the following flags:
sudo fcli set main mirror_af_external_packet_sampling enable sudo fcli set main mirror_external_af_packet_sampling_rate 1000 sudo fcli commit
If you run a sampled port mirror, you must have a separate interface for it, and you need to ensure that you do not capture traffic from the management interface.
Such a setup will be extremely dangerous as all traffic over the management interface (for example a downloading a file) will be multiplied by the sampling rate, which is 1000, and this will trigger a false positive attack detection.