Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 967 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosXG v19.0: how to config PortC for specific VLAN for mirrored port?

Steve Bottoms

Hi, all!  Installed XG v19.0 under VMware 7 platform; currently mirroring single VLAN (verified traffic on Procurve switch port). TAP set up on PortC.  Trying to understand how PortC is assigned to the dedicated NIC we installed in the VMware host for this purpose. PortC is clearly not getting any of the traffic that I've verified is coming though the switch port (mirror). Something is clearly not lashed up correctly.

Are there any tools on the XG firewall that'll let me observe the traffic coming across PortC (ala Wireshark)?  I don't see anything in the docs to indicate how to "connect" PortC to be used.

Suggestions for COHERENT documentation welcome (not vague blogs that don't contain real info).

Thanks.

SteveB



This thread was automatically locked due to age.
Parents
  • 0

    Thanks for the replies here!  Sorry for the delay getting back; lots happening here!

    OK, so I finally verified (via Wireshark and a Windows workstation VM) that a mirrored port on our main core L3 switch is dumping into a dedicated port on the VMware 7.x host we're using; all internal client traffic is coming across this mirrored port (yes, load is what I expected).  I confirmed that via ifconfig on the SophosXG the packet count is ratcheting up, but at a VERY slow rate, telling me that all traffic is not coming across the interface.  If I view unfiltered traffic in Packet Capture I see some traffic from both PortA and PortB; however virtually nothing from PortC is displaying. I set up a packet capture filtering on TCP or IP packets on PortC and get ZERO traffic.  Nada. Again, I want to capture ONLY PortC; I'm assuming that's not possible at this point because the Packet Capture is capturing all ports.

    As a test I set up a packet filter for my workstation IP, and set no other filters. I've verified in wireshark on this host that I can see all of the expected traffic on my workstation IP, so I know the traffic is coming into the dedicated NIC on the Vmware host.  The packet capture showed ONLY traffic from my workstation to the SophosXG firewall (172.16.16.16) on PortA. I have normal web pages open *and* I'm playing a YouTube video in one window just to test.  Zero PortC traffic, zero "real" traffic. 

    This doesn't function like any firewall/packet capture mechanism I've ever used.  Is there a good document somewhere that details how to setup and use the TAP port on VMware platforms? The scant documents I've found on Sophos sites don't cover any of this and I'm spinning my wheels trying to get this product working.  Suggestions welcome. I'm tempted to set it up on a dedicated piece of hardware, but my confidence is low at this point. There's either some critical undocumented config that's incorrect or this product on VMware 7 isn't ready for prime time.

    Steve

Reply
  • 0

    Thanks for the replies here!  Sorry for the delay getting back; lots happening here!

    OK, so I finally verified (via Wireshark and a Windows workstation VM) that a mirrored port on our main core L3 switch is dumping into a dedicated port on the VMware 7.x host we're using; all internal client traffic is coming across this mirrored port (yes, load is what I expected).  I confirmed that via ifconfig on the SophosXG the packet count is ratcheting up, but at a VERY slow rate, telling me that all traffic is not coming across the interface.  If I view unfiltered traffic in Packet Capture I see some traffic from both PortA and PortB; however virtually nothing from PortC is displaying. I set up a packet capture filtering on TCP or IP packets on PortC and get ZERO traffic.  Nada. Again, I want to capture ONLY PortC; I'm assuming that's not possible at this point because the Packet Capture is capturing all ports.

    As a test I set up a packet filter for my workstation IP, and set no other filters. I've verified in wireshark on this host that I can see all of the expected traffic on my workstation IP, so I know the traffic is coming into the dedicated NIC on the Vmware host.  The packet capture showed ONLY traffic from my workstation to the SophosXG firewall (172.16.16.16) on PortA. I have normal web pages open *and* I'm playing a YouTube video in one window just to test.  Zero PortC traffic, zero "real" traffic. 

    This doesn't function like any firewall/packet capture mechanism I've ever used.  Is there a good document somewhere that details how to setup and use the TAP port on VMware platforms? The scant documents I've found on Sophos sites don't cover any of this and I'm spinning my wheels trying to get this product working.  Suggestions welcome. I'm tempted to set it up on a dedicated piece of hardware, but my confidence is low at this point. There's either some critical undocumented config that's incorrect or this product on VMware 7 isn't ready for prime time.

    Steve

Children
  • 0 in reply to Steve Bottoms

    Another quick note: 99.99% of traffic on PortC (via tcpdump) are ARP requests.

  • 0 in reply to Steve Bottoms

    Let's see if we can find where it's not working then. This is what I usually have my customers to do when deploying a TAP interface in a VM env.

    SPAN/Mirror port setup on the switch, select the interfaces you want to see the traffic from and connect to the NIC.

    For the VMware, you'll need to create a vSwitch, add the physical NIC to this vSwitch.

    Assign the new vSwitch to a Network Interface on the VM (XG).

    Your XG VM will have at least 3 NIC, the third one will be the PortC. Select the vSwitch created and you should be all set, then check if the TAP is receiving traffic with the ifconfig PortC command.

    Hope this light up something for you. When they have problems it's usually the mirroring not working properly.

  • 0 in reply to VinyV

    All of this is done.  Please recall that I can build a wireshark box on the same host and see ALL traffic coming across the mirrored port into the VM.  On the SophosXG on the same host the ONLY traffic I see at any time is ARP traffic: no traffic that I KNOW and can confirm in a real-time basis can be seen in TCPDUMP on the SophosXG box. Something isn't working.

Unfiltered HTML