Traffic Monitoring to and from specific device

PaoloFracas
PaoloFracas Posts: 54  Ally Member
First Comment Friend Collector First Anniversary

Hi to all,

I would need to know if there is a rule to monitor traffic to and from a specific device.

I used the explanations on the page below as a basis but when I run a Ping test I get no monitoring.

Below my Rule.

What I need is to monitor all traffic to and from a specific device across the entire network and not just my PC for which I could use WireShark.

If there is external software it's fine anyway.

Thanks to all

Best Regards.

Paolo Fracas

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PaoloFracas ,

    You can capture packets from the LAN interface of the firewall and filter by IP address to sniff packets for that specific host.

  • PaoloFracas
    PaoloFracas Posts: 54  Ally Member
    First Comment Friend Collector First Anniversary

    Sorry for delay.

    Unfortunately the solution doesn't work.

    It doesn't monitor internal LAN traffic, which is what I need.

    Monitors traffic from LAN to VLAN and vice versa but not LAN to LAN traffic.

    Thanks anyway

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 14

    The only way to Monitor traffic not going to the USG directly is to do a proxy ARP so that traffic per device goes through the USG.

    This setup shows how to do that for example normally 192.168.255.55 can ping 192.168.255.62 without the USG knowing but with proxy ARP setup 192.168.255.55 sends ping to the USG then to 192.168.255.62

  • PaoloFracas
    PaoloFracas Posts: 54  Ally Member
    First Comment Friend Collector First Anniversary

    I'll try.

    Thanks

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 14

    Depending on the USG you have you might not have Native ports able to change interface type to general for proxy ARP option in which case you need to do a VLAN with interface type to general but this then brakes the switch setup for it so you need two more ports on switch say 19 port untag PVID 19 and PVID 1 port 20 being VLAN 15 tag on port 20 then connect port 17 to 19 and 20 to USG.

  • PaoloFracas
    PaoloFracas Posts: 54  Ally Member
    First Comment Friend Collector First Anniversary

    Thanks Peter,

    In addition to the type of Firewall (USG FLEX 100 in my case), I assume that one of the prerequisites is a Managed Switch.

    Which is not my case.

    Unfortunately.

  • PaoloFracas
    PaoloFracas Posts: 54  Ally Member
    First Comment Friend Collector First Anniversary

    By placing the device to be monitored in a dedicated VLAN could I monitor the traffic between the LAN and the device?!

    So a Smart Managed Switch would be enough for me.

    Right?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 28

    That would be be simple yes by another PC running Wireshark to see the monitored device

    or have another USG as a bridge to monitor the device

Security Highlight