The port mirroring function is not license-controlled.
Limitations for hardware chip-based port mirroring
A maximum of two observing ports can be configured. Each observing port can be configured with a maximum of eight mirrored ports.
The management port, HA port, and Eth-Trunk interface and sub-interface cannot be used as mirrored ports or observing ports.
Hardware chip-based 5-tuple packet capture and hardware chip-based port mirroring are mutually exclusive and cannot be configured at the same time.
When hardware chip-based port mirroring is configured, a maximum of 10 rules can be configured in a referenced ACL. In addition, only the 5-tuple (only individual port numbers are allowed in the 5-tuple) and TCP flag bit (tcp-flag) can be configured. The TCP flag bit does not contain the established bit.
Other Limitations
The mirrored port and mirroring port must be an Ethernet interface.
The port mirroring function captures only the ARP packets destined to the firewall, not the ARP packets originated from the firewall, such as ARP requests and gratuitous ARP packets originated from the firewall.
For CPU port mirroring, the management port, HA port, and Eth-Trunk interface and sub-interface cannot be used as mirrored ports or observing ports.
The observing port and the packet analysis equipment must be directly connected. Enabling port mirroring occupies bandwidth resources, degrades service processing performance, and may even affect services in severe cases.
You must disable this function after using it. When using port mirroring, reference an ACL to set a traffic mirroring range to protect other services against heavy mirrored traffic.
One interface cannot function as both the mirroring port and the observing port.
The mirroring port needs to be added to security zones, and configure security policies to ensure normal network communication. The observing port does not need to be added to security zones and configure security policies.
The FW supports MPU CPU-based and hardware chip-based port mirroring. FW packets first pass through the NP chip and then are sent to the MPU CPU. After the hardware fast forwarding function is enabled by default, only some traffic is sent to the CPU. Therefore, the packets captured based on the hardware chip in port mirroring mode are more comprehensive. In addition, it helps reduce the CPU usage and is therefore recommended.
The hardware chip-based port mirroring supports IPv6. The MPU CPU-based port mirroring does not support IPv6.