SPAN Configuration for Threat Manager | Feature Education

In This Article


A SPAN (Switched Port Analyzer) configuration, also commonly known as port mirroring, is a configuration option for network switches that makes the switch copy any traffic going through one or more ports on the switch to a destination port for traffic inspection by external tools.

This article describes SPAN configurations in detail and provides information on how to confirm that your configuration is working and that your traffic is being seen by Alert Logic® Threat Manager™.

SPAN Configurations

Port mirroring via SPAN configurations are used largely in physical network environments and are sometimes used in virtual environments.

Network intrusion detection systems such as Threat Manager need to be able to inspect customer network traffic in order to successfully perform their functions. Using a SPAN configuration is a great way to accomplish these requirements.

An alternative to port mirroring for capturing and inspecting traffic is the use of a host-based software agent. Threat Manager supports both port mirroring and agent-based traffic capturing.

The specifics for configuring SPANs varies based on the switch vendor, the network environment, and what traffic needs to be mirrored. You can find details on how to configure your SPAN by consulting the switch vendor's documentation.

Network Configuration

Once you have configured your SPAN and the port is connected to a network interface on a Threat Manager appliance, you will need to specify the networks you wish to monitor within the Alert Logic console. By default, no networks are monitored. Refer to the Threat Manager Detection - Networks documentation for information on creating and specifying your networks.

Confirm That Your SPAN Configuration is Working

Once you have configured your networks in the Alert Logic console, Threat Manager will begin inspecting your traffic for threats. If threats are found, events and incidents will be generated, which will indicate the characteristics of the threat. In production networks with normal amounts of activity, threats will often be detected within hours or minutes of Threat Manager and the SPAN being configured.

Environments that see little activity or are strongly hardened against threats, however, could go days without detected threats. In these cases, it may not be obvious that your SPAN configuration is working successfully. If you are concerned that your SPAN configuration is not working, contact Alert Logic Support and/or SOC teams to confirm that your traffic is being monitored correctly.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.