FastNetMon has extremely solid support for port mirror capture but standard port mirror or SPAN are both complicated to operate without direct connectivity between FastNetMon and routers.

In this case sampled or unsampled port mirror over GRE may be extremely helpful.

It can be enabled very simple way using following commands:

sudo fcli set main af_packet_use_new_generation_parser enable
sudo fcli commit

This command enables our new generation network parser which has solid support for GRE.

Then you need to explicitly enable GRE unpacking when you can guarantee that your environment is safe. Automated GRE stripping may have security implications as attacker may use GRE as attack vector with private / your own IP addresses inside and in this case FastNetMon will not able to identify it property.

sudo fcli set main af_packet_extract_tunnel_traffic enable
sudo fcli commit

Then you will need to send port mirror / SPAN over GRE to FastNetMon’s IP address. We recommend creating separate interface (with increased MTU) from management one for that purpose to avoid conflicts and potential issues.

Also, please keep in mind that GRE adds additional encapsulation headers to every packet and GRE traffic will exceed 1500 bytes and you need to be sure that all routers between FastNetMon and your routers will pass such large MTU.

We have many successful deployments using Juniper’s capability to send port mirror over GRE and all other vendors using standard encapsulation will work fine.

In addition to using 1:1 port mirror over GRE you may consider another sampled version of it which significantly reduces required CPU load on machine with FastNetMon and dramatically decreasers requirement for bandwidth between router and FastNetMon. You may start from some sampling like 1:1024 as very safe option which offers great accuracy and extremely fast attack detection.

As sampled port mirror over GRE has no options to encode sampling rate in packet direction you need to set it manually using these flags:

sudo fcli set main mirror_af_external_packet_sampling enable
sudo fcli set main mirror_external_af_packet_sampling_rate 1000
sudo fcli commit

If you run sampled port mirror you must have separate interface for it and you need to be sure that you do not capture traffic from management interface.

Such setup will be extremely dangerous as all traffic over management interface (like download of some file) will be multiplied by sampling rate which is 1000 and will trigger false positive attack detection.

24/7 Tech Support

Email Us