Mirror traffic from your Airwall Gateways to a packet analyzer tool

You can mirror traffic from your Airwall Gateways to allow common packet analyzer/visibility tools (like Nozomi or Wireshark) to see what’s going on in your Airwall secure network.

Caution: Packet analysis is a notoriously risky activity for security. Parsing unknown, uncontrolled inputs for a wide range of protocols is error prone. When employing a packet analysis tools, it’s best practice to segment off the packet processing into an isolated security sandbox.

Supported Versions

Conductor and Airwall Gateways v2.2.11 and later

Required Role
  • System or network administrators
  • Permissions to edit the Airwall Gateways used as the Mirror Destination and Sources. You need to be a manager of at least one overlay that these Airwall Gateways are in.
Supported on these Airwall Edge Services

Airwall Gateways: 2.2.11 hardware and virtual gateways:

  • For Mirror Destination: Production environments: Recommend Airwall Gateway 300v or 500 only. Testing: Airwall Gateway 75, 150, or 250.
  • For Mirror Source: Any Airwall Gateway.

Bulk editing does not support this configuration.

Before you begin

CAUTION:
To allow a packet analyzer to view traffic on an Airwall secure network, port mirroring requires copying potentially-sensitive traffic and delivering a copy of it where your packet analyzer can access it. This additional copy can introduce a security risk and impact the performance of your network:
  • Security risk and impact – A security risk is introduced in handling the copy of sensitive traffic that must also be secured.
  • Performance impact – Mirroring traffic to a remote Airwall Gateway may incur up to a 3-5x performance penalty due to the overhead of processing additional copies of the traffic and fragmenting large packets. The more traffic you mirror, the higher the impact. See Adjust performance for mirrored traffic for suggestions on mitigating the performance impact.

Requirements

To set up port mirroring, you need:

  • A Packet Analysis Tool (such as Nozomi or Wireshark)
  • The permissions listed under Required Role above.
  • An Airwall Gateway to use as the Mirror Destination (see Supported on these Airwall Gateways for recommended models)
  • One or more Airwall Gateways that you want to mirror the traffic on (to use as Mirror sources)
Note: If you are using GRE or ERSPAN source to packet analyzer, you can use an existing overlay port group. If you’re using a Mirror Destination port group, the Mirror Destination Airwall Gateway needs a free port.

How does it work?

The following diagram shows how to set up port mirroring to avoid leaking sensitive network information.

Diagram showing how port mirroring sends a copy of traffic securely from the Mirror Source Airwall Gateways to the Mirror Destination Airwall Gateway, and then to the packet analyzer, all within the Airwall secure network

Diagram Flow:

  1. Secure network traffic to and from the Mirror Source Airwall Gateways is collected.
  2. Mirror Source Airwall Gateways send a copy of traffic data to the Mirror Destination Airwall Gateway.
  3. Mirror Destination Airwall Gateway sends the data to the Local device for the Packet Analyzer.
  4. Admin securely logs in to packet analyzer to access and analyze data and export reports.
  5. Admin releases reports that aggregate the data.

For more ways to configure mirrored traffic, see More Mirrored Traffic Scenarios.

Choose how to mirror traffic

There are two ways you can set up the Mirror Destination Airwall Gateway, depending on how you are connecting your packet analyzer to it:

  • Local Device Destination – The recommended way to mirror traffic is to send the traffic to a local device for your packet analyzer. See Mirror Traffic to a Local Device destination (Recommended Way). This method uses GRE or ERSPAN to send traffic to a local device for the packet analyzer on the Mirror Destination Airwall Gateway.
  • Mirror Destination Group – You can also send mirrored traffic to a dedicated port group attached to a physical cable. See Mirror traffic to a dedicated port. This method uses a special type of port group (Mirror Destination group).

    If you are using a Mirror Destination group, you can’t use a physical or virtual switch without special configuration. This particularly impacts the Airwall Gateway 300v, since the hypervisor uses a virtual switch. You must either use a physical cable to directly connect the Airwall Gateway to the packet analyzer, or consult your switch vendor's documentation on how to configure it to carry mirrored traffic.