Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Netflow and IPFIX support

You can configure Netflow (v1, v5, and v9) and IP Flow Information Export (IPFIX) on managed FortiSwitch units on switch controller. The resulting data are available in FortiView and to FortiAnalyzer for traffic statistics and topology views. Traffic sampling data can be used to show which users and device behind a switch are generating the most traffic.

The following CLI can be used to configure flow-tracking parameters:

config system flow-tracking
    set sample-mode {local | perimeter | device-ingress}
    set sample-rate <integer>
    set format {netflow1 | netflow5 | netflow9 | ipfix}
    set collector-ip <ip_address>
    set collector-port <integer>
    set transport {udp | tcp | sctp}
    set level {vlan | ip | port | proto}
    set max-export-pkt-size <integer>
    set timeout-general <integer>
    set timeout-icmp <integer>
    set timeout-max <integer>
    set timeout-tcp <integer>
    set timeout-tcp-fin <integer>
    set timeout-tcp-rst <integer>
    set timeout-udp <integer>
    config aggregates
        edit <id>
            set ip <ip_address>
        next
    end
end

Variable

Description

sample-mode {local | perimeter | device-ingress}

Sample mode for flow tracking.

  • local: Sample on the specific FortiSwitch port. Sampling must be enabled on the specific FortiSwitch ports using the config switch-controller managed-switch and config ports commands.
  • perimeter: Sample on all non-fabric FortiSwitch ports, including the access and FortiLink ports, but not the FortiLink ISL port.
  • device-ingress: Sample on all FortiSwitch ports.
sample-rate <integer> Sample rate for the perimeter and device-ingress sampling (0 - 99999, default = 512).
format {netflow1 | netflow5 | netflow9 | ipfix} Flow tracking protocol (default = netflow9).
collector-ip <ip_address>

Collector IP address.

An all-zero IP address implies the feature is disabled

collector-port <integer> Collector port number (0 - 65535, default=0).
transport {udp | tcp | sctp} L4 transport protocol for exporting packets (default = udp).
level {vlan | ip | port | proto}

Flow tracking level.

  • vlan: Collect srcip/dstip/srcport/dstport/protocol/tos/vlan from the sample packet.
  • ip: Collect srcip/dstip from the sample packet (default).
  • port: Collect srcip/dstip/srcport/dstport/protocol from the sample packet.
  • proto: Collect srcip/dstip/protocol from the sample packet.
max-export-pkt-size <integer> Flow maximum export packet size, in bytes (512 - 9216, default = 512).
timeout-general <integer> Flow session general timeout, in seconds (60 - 604800, default = 3600).
timeout-icmp <integer> Flow session ICMP timeout, in seconds (60 - 604800, default = 300).
timeout-max <integer> Flow session maximum timeout, in seconds (60 - 604800, default = 604800).
timeout-tcp <integer> Flow session TCP timeout, in seconds (60 - 604800, default = 3600).
timeout-tcp-fin <integer> Flow session TCP FIN timeout, in seconds (60 - 604800, default = 300).
timeout-tcp-rst <integer> Flow session TCP RST timeout, in seconds (60 - 604800, default = 120).
timeout-udp <integer> Flow session UDP timeout, in seconds (60 - 604800, default = 300).

config aggregates subcommand:

Aggregates in which all traffic sessions matching the IP address will be grouped into the same flow.

ip <ip_address>

IP address to group all matching traffic sessions to a flow.

Netflow and IPFIX support

You can configure Netflow (v1, v5, and v9) and IP Flow Information Export (IPFIX) on managed FortiSwitch units on switch controller. The resulting data are available in FortiView and to FortiAnalyzer for traffic statistics and topology views. Traffic sampling data can be used to show which users and device behind a switch are generating the most traffic.

The following CLI can be used to configure flow-tracking parameters:

config system flow-tracking
    set sample-mode {local | perimeter | device-ingress}
    set sample-rate <integer>
    set format {netflow1 | netflow5 | netflow9 | ipfix}
    set collector-ip <ip_address>
    set collector-port <integer>
    set transport {udp | tcp | sctp}
    set level {vlan | ip | port | proto}
    set max-export-pkt-size <integer>
    set timeout-general <integer>
    set timeout-icmp <integer>
    set timeout-max <integer>
    set timeout-tcp <integer>
    set timeout-tcp-fin <integer>
    set timeout-tcp-rst <integer>
    set timeout-udp <integer>
    config aggregates
        edit <id>
            set ip <ip_address>
        next
    end
end

Variable

Description

sample-mode {local | perimeter | device-ingress}

Sample mode for flow tracking.

  • local: Sample on the specific FortiSwitch port. Sampling must be enabled on the specific FortiSwitch ports using the config switch-controller managed-switch and config ports commands.
  • perimeter: Sample on all non-fabric FortiSwitch ports, including the access and FortiLink ports, but not the FortiLink ISL port.
  • device-ingress: Sample on all FortiSwitch ports.
sample-rate <integer> Sample rate for the perimeter and device-ingress sampling (0 - 99999, default = 512).
format {netflow1 | netflow5 | netflow9 | ipfix} Flow tracking protocol (default = netflow9).
collector-ip <ip_address>

Collector IP address.

An all-zero IP address implies the feature is disabled

collector-port <integer> Collector port number (0 - 65535, default=0).
transport {udp | tcp | sctp} L4 transport protocol for exporting packets (default = udp).
level {vlan | ip | port | proto}

Flow tracking level.

  • vlan: Collect srcip/dstip/srcport/dstport/protocol/tos/vlan from the sample packet.
  • ip: Collect srcip/dstip from the sample packet (default).
  • port: Collect srcip/dstip/srcport/dstport/protocol from the sample packet.
  • proto: Collect srcip/dstip/protocol from the sample packet.
max-export-pkt-size <integer> Flow maximum export packet size, in bytes (512 - 9216, default = 512).
timeout-general <integer> Flow session general timeout, in seconds (60 - 604800, default = 3600).
timeout-icmp <integer> Flow session ICMP timeout, in seconds (60 - 604800, default = 300).
timeout-max <integer> Flow session maximum timeout, in seconds (60 - 604800, default = 604800).
timeout-tcp <integer> Flow session TCP timeout, in seconds (60 - 604800, default = 3600).
timeout-tcp-fin <integer> Flow session TCP FIN timeout, in seconds (60 - 604800, default = 300).
timeout-tcp-rst <integer> Flow session TCP RST timeout, in seconds (60 - 604800, default = 120).
timeout-udp <integer> Flow session UDP timeout, in seconds (60 - 604800, default = 300).

config aggregates subcommand:

Aggregates in which all traffic sessions matching the IP address will be grouped into the same flow.

ip <ip_address>

IP address to group all matching traffic sessions to a flow.