Configure a Mirror Destination to send to a Local Device

The Mirror Destination Airwall Gateway receives the mirrored traffic and sends it to your packet analyzer (or network analyzer or packet broker).

If your packet analyzer supports receiving packets encapsulated in GRE or ERSPAN, this is the preferred configuration. It avoids the possibly of mirrored traffic being recirculated on your network and the MAC address table issues with switches. It also provides additional fields to your packet analyzer that allow it to distinguish between traffic captured by multiple Airwall Gateways (using GRE key/ERSPAN session ID) and detect lost or reordered packets (using ERSPAN sequence number).
  1. On the Airwall Gateway page, go to Ports > Port mirroring.
  2. Select Edit Settings.
  3. Next to Configurations, select the + to add a mirroring configuration.
  4. In your new configuration:
    1. Set the Enabled toggle to On.
      Note: After configuration, use this toggle to turn mirroring on and off.
    2. Under Type, select Mirror Destination.
    3. Under Packet destination, select the local device for your packet analyzer you set up earlier.
      Note: The device will not show up as destination when you're selecting the Mirror Destination Airwall Gateway unless you've set a specific port group affinity (not Auto). See Create a local device for your packet analyzer tool.
    4. Under Encapsulation type, select the encapsulation (GRE or ERSPAN Type I, II, or III) supported by your packet analyzer. For example, for Nozomi, pick ERSPAN type II. Refer to documentation of your packet analyzer to determine which encapsulations it supports.
      Port mirroring configuration for your mirror destination Airwall Gateway
    5. Optional – Enter any information allowed for the type you selected (for example, GRE key or session ID).
    6. Optional – Under BPF filter, add any BPF filters you would like to use to filter the traffic that is mirrored to this Mirror Destination. See BPF Settings for Port Mirroring.
      Note: If you use a BPF expression on the Mirror Destination, that’s the default for all of the Mirror Sources, unless you set a BPF expression on the source, which overrides this default.
  5. Select Update Settings.

You should be able to see some traffic from the Mirror Destination to the packet analyzer local device.