This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosXG v19.0: how to config PortC for specific VLAN for mirrored port?

Hi, all! Installed XG v19.0 under VMware 7 platform; currently mirroring single VLAN (verified traffic on Procurve switch port). TAP set up on PortC. Trying to understand how PortC is assigned to the dedicated NIC we installed in the VMware host for this purpose. PortC is clearly not getting any of the traffic that I've verified is coming though the switch port (mirror). Something is clearly not lashed up correctly.

Are there any tools on the XG firewall that'll let me observe the traffic coming across PortC (ala Wireshark)? I don't see anything in the docs to indicate how to "connect" PortC to be used.

Suggestions for COHERENT documentation welcome (not vague blogs that don't contain real info).

Thanks.

SteveB

This thread was automatically locked due to age.

Top Replies

VinyV over 2 years ago +1

Hi Steve, You can use the option 5-3 from the console and run ifconfig PortC, if RX is increasing based you your I/O traffic then it's all set. You can also do a tcpdump -ni PortC to listen only…

Parents

0 Steve Bottoms over 2 years ago

Thanks for the replies here! Sorry for the delay getting back; lots happening here!

OK, so I finally verified (via Wireshark and a Windows workstation VM) that a mirrored port on our main core L3 switch is dumping into a dedicated port on the VMware 7.x host we're using; all internal client traffic is coming across this mirrored port (yes, load is what I expected). I confirmed that via ifconfig on the SophosXG the packet count is ratcheting up, but at a VERY slow rate, telling me that all traffic is not coming across the interface. If I view unfiltered traffic in Packet Capture I see some traffic from both PortA and PortB; however virtually nothing from PortC is displaying. I set up a packet capture filtering on TCP or IP packets on PortC and get ZERO traffic. Nada. Again, I want to capture ONLY PortC; I'm assuming that's not possible at this point because the Packet Capture is capturing all ports.

As a test I set up a packet filter for my workstation IP, and set no other filters. I've verified in wireshark on this host that I can see all of the expected traffic on my workstation IP, so I know the traffic is coming into the dedicated NIC on the Vmware host. The packet capture showed ONLY traffic from my workstation to the SophosXG firewall (172.16.16.16) on PortA. I have normal web pages open *and* I'm playing a YouTube video in one window just to test. Zero PortC traffic, zero "real" traffic.

This doesn't function like any firewall/packet capture mechanism I've ever used. Is there a good document somewhere that details how to setup and use the TAP port on VMware platforms? The scant documents I've found on Sophos sites don't cover any of this and I'm spinning my wheels trying to get this product working. Suggestions welcome. I'm tempted to set it up on a dedicated piece of hardware, but my confidence is low at this point. There's either some critical undocumented config that's incorrect or this product on VMware 7 isn't ready for prime time.

Steve
Cancel
Vote Up 0 Vote Down

Cancel
0 Steve Bottoms over 2 years ago in reply to Steve Bottoms
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Steve Bottoms over 2 years ago in reply to Steve Bottoms
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data