Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

NetFlow

NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis. NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the information maintained in the firewall session.

To configure NetFlow:
config system netflow
    set collector-ip <ip>
    set collector-port <port>
    set source-ip <ip>
    set active-flow-timeout <integer>
    set inactive-flow-timeout <integer>
    set template-tx-timeout <integer>
    set template-tx-counter <integer>
end

collector-ip <ip>

Collector IP address.

collector-port <port>

NetFlow collector port number (0 - 65535)

source-ip <ip>

Source IP address, for communication with the NetFlow agent.

active-flow-timeout <integer>

Timeout to report active flows, in minutes (1 - 60, default = 30).

inactive-flow-timeout <integer>

Timeout for periodic report of finished flows, in seconds (10 - 600, default = 15).

template-tx-timeout <integer>

Timeout for periodic template flowset transmission, in minutes (1 - 1440, default = 30).

template-tx-counter <integer>

Counter of flowset records, before resending a template flowset record (10 - 6000, default = 20).

To configure NetFlow in a specific VDOM:
config vdom
    edit <vdom>
        config system vdom-netflow
            set vdom-netflow enable
            set collector-ip <ip>
            set collector-port <port>
            set source-ip <ip>
        end
    next
end
To configure a NetFlow sampler on an interface:
config system interface
    edit <interface>
        set netflow-sampler {disable | tx | rx | both}
    next
end

disable

Disable the NetFlow protocol on this interface (default).

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

Verification and troubleshooting

If data are not seen on the NetFlow collector after it has been configured, use the following sniffer commands to verify if the FortiGate and the collector are communicating:

  • By collector port:

    # diagnose sniffer packet 'port <collector-port>'  6 0 a
  • By collector IP address:

    # diagnose sniffer packet 'host <collector-ip>' 6 0 a

NetFlow uses the sflow daemon. The current NetFlow configuration can be viewed using test level 3 or 4:

# diagnose test application sflowd 3
# diagnose test application sflowd 4
Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max count:71950

NetFlow

NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis. NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the information maintained in the firewall session.

To configure NetFlow:
config system netflow
    set collector-ip <ip>
    set collector-port <port>
    set source-ip <ip>
    set active-flow-timeout <integer>
    set inactive-flow-timeout <integer>
    set template-tx-timeout <integer>
    set template-tx-counter <integer>
end

collector-ip <ip>

Collector IP address.

collector-port <port>

NetFlow collector port number (0 - 65535)

source-ip <ip>

Source IP address, for communication with the NetFlow agent.

active-flow-timeout <integer>

Timeout to report active flows, in minutes (1 - 60, default = 30).

inactive-flow-timeout <integer>

Timeout for periodic report of finished flows, in seconds (10 - 600, default = 15).

template-tx-timeout <integer>

Timeout for periodic template flowset transmission, in minutes (1 - 1440, default = 30).

template-tx-counter <integer>

Counter of flowset records, before resending a template flowset record (10 - 6000, default = 20).

To configure NetFlow in a specific VDOM:
config vdom
    edit <vdom>
        config system vdom-netflow
            set vdom-netflow enable
            set collector-ip <ip>
            set collector-port <port>
            set source-ip <ip>
        end
    next
end
To configure a NetFlow sampler on an interface:
config system interface
    edit <interface>
        set netflow-sampler {disable | tx | rx | both}
    next
end

disable

Disable the NetFlow protocol on this interface (default).

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

Verification and troubleshooting

If data are not seen on the NetFlow collector after it has been configured, use the following sniffer commands to verify if the FortiGate and the collector are communicating:

  • By collector port:

    # diagnose sniffer packet 'port <collector-port>'  6 0 a
  • By collector IP address:

    # diagnose sniffer packet 'host <collector-ip>' 6 0 a

NetFlow uses the sflow daemon. The current NetFlow configuration can be viewed using test level 3 or 4:

# diagnose test application sflowd 3
# diagnose test application sflowd 4
Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max count:71950