So when I ssh into the cli of the WSA (sorry for all of the acronyms.. .part of being in IT!)... there is a command to look at the nics.
Type etherconfig
then type media
It will list them out with mac addresses and if the link is up and what speed. This shows me that 1 Management is up at 1000baseT full-duplex, as is 4 T1 is up as well.
However in the L4TM logs there is never any data. We even added some IP's in the L4 settings to test this feature, but it doesn't block or log anything. Just to test that I have the port mirror setup correctly, I added a second nic to a Windows VM and put it on this network. I ran wireshark on that NIC and low and behold I witnessed all of the traffic traversing our outbound link to our inline IDS/IPS that sits between our network and our Internet switch where our load balancers and ISP's terminate.
So I know that this mirror works fine. In vmware its just a simple NIC with promiscouous mode set to accept. We have called this TAP1. We have another that is the same configuration called TAP2 that is feeding an Extreme Networks Purview applications analytics appliance. This has no issues at all and it is classifying every piece of traffic traversing through our core switch stacks. I don't know what the issue is with the virtual WSA running 10.5.2. There are a lot of bugs in this version but a new release is not expected until Q1 2018. I hope this is fixed in the next build, as well as periodic reports failed and random coring on o365 hosted sharepoint (onedrive) (temp fixed by putting it in bypass). The fortigate guys are pushing hard to make us move and sometimes that option looks better and better every day.
