What SecurityBox-Network Needs
SecurityBox-Network is a physical or virtual appliance deployed on your corporate network. It has two network interfaces:
Port 1 — Management Interface. Connect this to a standard user VLAN. This is how the appliance communicates with cloud services, receives updates, and sends risk assessment data. It needs a normal IP address and internet access.
Port 2 — Monitoring Interface. Connect this to a port mirror (SPAN port) on your firewall or edge switch. This interface operates in promiscuous mode — it captures traffic but does not transmit. It has no IP address.
The monitoring interface requires bidirectional traffic (both ingress and egress) from your perimeter device. This gives SecurityBox the same visibility that any NDR sensor would need — full network traffic analysis for lateral movement detection, C2 beaconing, and behavioral anomaly detection.
Choosing Where to Mirror
The port mirror should be configured on a perimeter or edge device — typically your firewall or the switch directly connected to it. This captures traffic entering and leaving your network, which is the most valuable vantage point for threat detection.
Common mirror sources:
- Firewall uplink port — captures all traffic crossing the perimeter
- Core switch trunk port — captures inter-VLAN traffic
- Edge switch uplink — captures traffic between the LAN and the firewall
Cisco IOS Switches
Cisco calls port mirroring SPAN (Switched Port Analyzer). This is the most straightforward configuration.
configure terminal
monitor session 1 source interface GigabitEthernet0/1 both
monitor session 1 destination interface GigabitEthernet0/24
exit
Replace GigabitEthernet0/1 with your source (e.g., the firewall uplink) and GigabitEthernet0/24 with the port connected to SecurityBox’s monitoring interface. The both keyword captures traffic in both directions.
Verify with show monitor session 1.
If SecurityBox is on a different switch than the mirror source, use RSPAN — this mirrors traffic across switches using a dedicated VLAN. Create a VLAN with remote-span on all participating switches, then configure the source switch to mirror into that VLAN and the destination switch to mirror out of it.
Cisco Meraki
Meraki configures port mirroring through the cloud dashboard:
- Go to Switching > Switch Ports
- Select the destination port (connected to SecurityBox)
- Set the port type to Mirror
- Select the source port(s) to mirror
Meraki mirrors bidirectional traffic automatically. Only local (same-switch) mirroring is supported — the source and destination ports must be on the same Meraki switch.
Fortinet FortiGate
FortiGate supports SPAN on its built-in switch interfaces. For a single source port on a hardware switch:
config system virtual-switch
edit "lan"
set span enable
set span-source-port "port3"
set span-dest-port "port4"
set span-direction both
next
end
To mirror multiple source ports, you need a software switch instead:
config system switch-interface
edit "monitor-sw"
set member "port5" "port6" "port7"
set span enable
set span-source-port "port5" "port6"
set span-dest-port "port7"
set span-direction both
next
end
Set span-direction to both for bidirectional capture. The destination port becomes dedicated to mirroring and cannot carry regular traffic.
Palo Alto Networks
Palo Alto uses a packet capture mechanism rather than traditional SPAN. Configure via the GUI:
- Go to Device > Setup > Content-ID
- Click the gear icon next to Packet Capture
- Set Source Interfaces (e.g., ethernet1/1)
- Set Direction to
both - Set Capture Interface to the port connected to SecurityBox
- Set Packet Stage to
receive(captures traffic before firewall rules — recommended for NDR) - Click OK and Commit
Or via CLI:
configure
set deviceconfig setting inspection capture-interface ethernet1/8
set deviceconfig setting inspection direction both
set deviceconfig setting inspection stage-receive ethernet1/1
commit
Palo Alto supports only one capture destination per firewall.
Virtual Deployments
If SecurityBox-Network is deployed as a virtual machine, the monitoring interface requires special configuration. The virtual switch connected to the monitoring interface must be in promiscuous mode and must not be shared with production VMs. This is a hard requirement — the same as any NDR sensor in a virtual environment.
VMware vSphere
- Create a dedicated port group for monitoring (e.g., “SecurityBox-Monitor”)
- Under the port group’s Security settings, set Promiscuous Mode to Accept
- Assign SecurityBox’s monitoring NIC to this port group
- Do not attach any other VMs to this port group
The physical uplink for this port group should be connected to your SPAN destination port. Set VLAN ID to 4095 (trunk) if you need to preserve VLAN tags.
Microsoft Hyper-V
# Set SecurityBox monitoring NIC as mirror destination
Set-VMNetworkAdapter -VMName "SecurityBox" -Name "Monitor-NIC" -PortMirroring Destination
# Set source VM(s)
Set-VMNetworkAdapter -VMName "Router-VM" -Name "Network Adapter" -PortMirroring Source
Multiple source VMs can mirror to a single SecurityBox destination. All VMs must be on the same virtual switch. Hyper-V mirrors bidirectional traffic automatically.
Proxmox / KVM
Use Open vSwitch (OVS) to configure mirroring:
ovs-vsctl -- --id=@m create Mirror name=securitybox-monitor \
select-all=true \
output-port=vnet5 \
-- add Bridge vmbr0 mirrors @m
Replace vnet5 with SecurityBox’s monitoring interface and vmbr0 with your bridge. OVS mirrors do not persist across reboots — add the command to /etc/rc.local or a systemd service.
If you are using a standard Linux bridge instead of OVS, set bridge_ageing 0 on the bridge to flood all traffic to all ports, effectively turning it into a hub.
Other Supported Platforms
Port mirroring is a standard feature on most enterprise network equipment. If your environment uses a platform not listed above, here is a quick reference:
| Platform | Configuration Path | Notes |
|---|---|---|
| Juniper EX | forwarding-options analyzer | Separate ingress/egress specification; use both for bidirectional |
| Aruba / HPE | mirror-port + monitor CLI commands | Supports local and remote mirroring |
| Ubiquiti UniFi | Switch Ports > Edit > Mirroring | GUI-only configuration via UniFi controller |
| SonicWall | Network > Switching > Port Mirroring | Supports ingress, egress, or both; one active group per direction |
| pfSense / OPNsense | Interfaces > Bridges > SPAN port | Requires bridge configuration; limited compared to dedicated switches |
Verifying Your Mirror
Once SecurityBox is connected, verify that the monitoring interface is receiving traffic:
tcpdump -i eth1 -nn -c 100
If you see packets, the mirror is working. If not, check:
- Source and destination ports — are the correct ports configured?
- Direction — is bidirectional (
both) enabled? - Cable — is the monitoring interface physically connected?
- VLAN trunking — if using RSPAN or VLANs, is the VLAN allowed on all trunk links?
For virtual deployments, confirm promiscuous mode is enabled on the correct port group and that SecurityBox’s monitoring NIC is attached to it.
Pre-Deployment Checklist
- Identify the perimeter device (firewall or edge switch) for the mirror source
- Allocate a dedicated port on that device for the SPAN destination
- Configure bidirectional mirroring with the commands above
- Connect SecurityBox’s management interface to a user VLAN with internet access
- Connect SecurityBox’s monitoring interface to the SPAN destination port
- For virtual deployments: create a dedicated vSwitch/port group in promiscuous mode
- Verify traffic with
tcpdumpon the monitoring interface - Confirm you see both inbound and outbound traffic
Typical deployment takes under an hour. If you need assistance, contact us and we will walk you through the configuration for your specific environment.