Solved: Hello Jerry,

jerry.bonner · ‎05-13-2015

I know SF can de-encapsulate ERSPAN traffic, but can a sensor be configured directly as an ERSPAN destination host for passive analysis? My issue is I'm trying to run a sensor in UCS B-Series environment in passive mode. B-series / fabric interconnects do not support spanning traffic / rspan into the system. So I'd like to be able to ship traffic over a layer 3 connection directly to the sensor, but I'd need the sensor to respond to layer 3 requests for ARP etc.

Pavel Trinos · ‎05-20-2015

Not sure on the ERSPAN, but you should be able to get visibility into your traffic in one of two ways:

1) Use Port Bypass TAP system (100% uptime, sourcefire TAP)

2) Implement virtual sensor (look into traffic between virtual servers)

View solution in original post

Veronika Klauzova · ‎05-21-2017

Hello Jerry,

what type of hardware sensor do you want to configure with ERSPAN and what software version does it run.

You can configure ERSPAN in Firepower Threat Defense devices in routed firewall mode only. It requires you to configure physical interface with ERSPAN mode, you have to also provide name of the interface (this will add nameif on the backend as in traditional ASA FW devices and without this name, device will not process any traffic), also you have to configure IP address on this interface. Switch/router needs to support ERSPAN from where are you trying to send traffic over GRE tunnel to FTD/sensor. Make sure that flow id on sensor match ERSPAN ID monitor session and that you have specified on ERSPAN sw/router correct source and destination IP address for encapsulated traffic.

Let me know if you have more questions.

Best regards,

Veronika

View solution in original post

Pavel Trinos · ‎05-20-2015

Not sure on the ERSPAN, but you should be able to get visibility into your traffic in one of two ways:

1) Use Port Bypass TAP system (100% uptime, sourcefire TAP)

2) Implement virtual sensor (look into traffic between virtual servers)

anas.alnajjar · ‎05-21-2017

hello Jerry,

good day!

could you please help me ?

i have the same situation.

did you try to configure the sensor as ERSPAN destination?

does it work?

how did you configure it exactly?

best regards,

Veronika Klauzova · ‎05-21-2017

Hello Jerry,

what type of hardware sensor do you want to configure with ERSPAN and what software version does it run.

You can configure ERSPAN in Firepower Threat Defense devices in routed firewall mode only. It requires you to configure physical interface with ERSPAN mode, you have to also provide name of the interface (this will add nameif on the backend as in traditional ASA FW devices and without this name, device will not process any traffic), also you have to configure IP address on this interface. Switch/router needs to support ERSPAN from where are you trying to send traffic over GRE tunnel to FTD/sensor. Make sure that flow id on sensor match ERSPAN ID monitor session and that you have specified on ERSPAN sw/router correct source and destination IP address for encapsulated traffic.

Let me know if you have more questions.

Best regards,

Veronika

_Alejandro_ · ‎09-19-2019

Hello,

I'm trying to do the opposite. Do you know if it's possible to configure the virtual FTD to span traffic to another device? We have a software IDS that will be on a VM and are trying to send traffic to it from the FTD. Tried to accomplish from CSR 1000V in environment but from what I've found that is not supported.

Respectfully,

Alex

Sensor as ERSPAN destination?