SophosXG v19.0: how to config PortC for specific VLAN for mirrored port?

Also, any way to PREVENT PortA and PortB traffic from being reported on-screen? Filtering this out of exports just to see if it's working is getting annoying.  Thx.

Tap configured per this: Deploy Sophos Firewall in discover mode - Sophos Firewall; no detail whatsoever on how to test/validate for traffic coming in from mirrored port on L2 switch (validated on laptop connected directly to port on switch).  Thx.

Hi Steve,

You can use the option 5-3 from the console and run ifconfig PortC, if RX is increasing based you your I/O traffic then it's all set.

You can also do a tcpdump -ni PortC to listen only on PortC traffic.

Via GUI you can use Diagnostics > Packet Capture and use TCPDUMP filters.

You can also use logviewer filtered on the IP address of the port.

Ian

That's true for non-tap interfaces. TAP interfaces don't have an IP address, they also can't be changed at GUI anymore.

Thanks for the replies here!  Sorry for the delay getting back; lots happening here!

OK, so I finally verified (via Wireshark and a Windows workstation VM) that a mirrored port on our main core L3 switch is dumping into a dedicated port on the VMware 7.x host we're using; all internal client traffic is coming across this mirrored port (yes, load is what I expected).  I confirmed that via ifconfig on the SophosXG the packet count is ratcheting up, but at a VERY slow rate, telling me that all traffic is not coming across the interface.  If I view unfiltered traffic in Packet Capture I see some traffic from both PortA and PortB; however virtually nothing from PortC is displaying. I set up a packet capture filtering on TCP or IP packets on PortC and get ZERO traffic.  Nada. Again, I want to capture ONLY PortC; I'm assuming that's not possible at this point because the Packet Capture is capturing all ports.

As a test I set up a packet filter for my workstation IP, and set no other filters. I've verified in wireshark on this host that I can see all of the expected traffic on my workstation IP, so I know the traffic is coming into the dedicated NIC on the Vmware host.  The packet capture showed ONLY traffic from my workstation to the SophosXG firewall (172.16.16.16) on PortA. I have normal web pages open *and* I'm playing a YouTube video in one window just to test.  Zero PortC traffic, zero "real" traffic. 

This doesn't function like any firewall/packet capture mechanism I've ever used.  Is there a good document somewhere that details how to setup and use the TAP port on VMware platforms? The scant documents I've found on Sophos sites don't cover any of this and I'm spinning my wheels trying to get this product working.  Suggestions welcome. I'm tempted to set it up on a dedicated piece of hardware, but my confidence is low at this point. There's either some critical undocumented config that's incorrect or this product on VMware 7 isn't ready for prime time.

Steve

Another quick note: 99.99% of traffic on PortC (via tcpdump) are ARP requests.

You can use the option 5-3 from the console and run ifconfig PortC, if RX is increasing based you your I/O traffic then it's all set.

You can also do a tcpdump -ni PortC to listen only on PortC traffic.

Via GUI you can use Diagnostics > Packet Capture and use TCPDUMP filters.

Let's see if we can find where it's not working then. This is what I usually have my customers to do when deploying a TAP interface in a VM env.

SPAN/Mirror port setup on the switch, select the interfaces you want to see the traffic from and connect to the NIC.

For the VMware, you'll need to create a vSwitch, add the physical NIC to this vSwitch.

Assign the new vSwitch to a Network Interface on the VM (XG).

Your XG VM will have at least 3 NIC, the third one will be the PortC. Select the vSwitch created and you should be all set, then check if the TAP is receiving traffic with the ifconfig PortC command.

Hope this light up something for you. When they have problems it's usually the mirroring not working properly.