One-armed sniffer

Onearmed sniffer

A one-armed sniffer is used to configure a physical interface on the FortiGate unit as a one-arm intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured IPS sensor and application control list. Matches are logged and then all received traffic is dropped. Sniffing only reports on attacks. It does not deny or otherwise influence traffic.

Using the one-arm sniffer, you can configure a FortiGate unit to operate as an IDS appliance by sniffing network traffic for attacks without actually processing the packets. To configure one-arm IDS, you enable sniffer mode on a FortiGate interface and connect the interface to a hub or to the SPAN port of a switch that is processing network traffic.

To assign an interface as a sniffer interface, go to System > Network > Interface, edit the interface and select One-Arm Sniffer.

If the check box is not available, the interface is in use. Ensure that the interface is not selected in any firewall policies, routes, virtual IPs or other features in which a physical interface is specified.

Enable Filters                            Select to include filters to define a more granular sniff of network traffic.

Select specific addresses, ports, VLANs and protocols.

In all cases, enter a number, or number range, for the filtering type. For Pro- tocol values, standard protocols are:

  • UDP – 17
  • TCP – 6
  • ICMP – 1


Include IPv6 Packets

If your network is running a combination of IPv4 and IPv6 addressing, select to sniff both addressing types. Otherwise, the FortiGate unit will only sniff IPv4 traffic.

Include Non-IP Packets            Select for a more intense scan of content in the traffic.


UTM Security Profiles

IPS sensors, and application control lists enable you to select specific sensors and application you want to identify within the traffic.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “One-armed sniffer

  1. Francisco Marques

    Hello Dear,

    I would like know if one-arm sniffer work with Vdom mode ? Per example, I have one Fortigate Firewall 3950B with four vdoms, but I don’t able that assign one interface for a specific vdom.


    Francisco Marques.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.