Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Source interface setting for NetFlow data

NetFlow data can be routed over the HA management interface when the ha-direct option is enabled. The secondary unit does not send out any flow data whether it is running in A-A or A-P.

To route NetFlow data over the HA management interface:
  1. On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password ENC
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 200
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.111 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  2. On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password ENC
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 100
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.112 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  3. On the primary unit (FortiGate A), configure the NetFlow setting:
    (global) # config system netflow
        set collector-ip 10.6.30.59
    end

    When the ha-direct option is enabled in config system ha, FortiOS is no longer allowed to set source-ip in config system netflow.

  4. Verify that NetFlow uses the mgmt1 IP:
    (global) # diagnose test application sflowd 3
  5. Verify that the NetFlow packets are being sent by the mgmt1 IP:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
    interfaces=[any]
    filters=[udp and port 2055]
    8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188
    23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    ^C
    3 packets received by filter
    0 packets dropped by kernel
  6. On the secondary device (FortiGate B), change the priority so that it becomes the primary:
    (global) # config system ha
        set priority 250
    end
  7. Verify the NetFlow status on FortiGate A, which is using the new primary unit's mgmt1 IP:
    (global) # diagnose test application sflowd 3
  8. Verify that the NetFlow packets use the new source IP on FortiGate B:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
    interfaces=[any]
    filters=[udp and port 2055]
    7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140
    ^C
    3 packets received by filter
    0 packets dropped by kernel

Source interface setting for NetFlow data

NetFlow data can be routed over the HA management interface when the ha-direct option is enabled. The secondary unit does not send out any flow data whether it is running in A-A or A-P.

To route NetFlow data over the HA management interface:
  1. On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password ENC
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 200
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.111 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  2. On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password ENC
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 100
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.112 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  3. On the primary unit (FortiGate A), configure the NetFlow setting:
    (global) # config system netflow
        set collector-ip 10.6.30.59
    end

    When the ha-direct option is enabled in config system ha, FortiOS is no longer allowed to set source-ip in config system netflow.

  4. Verify that NetFlow uses the mgmt1 IP:
    (global) # diagnose test application sflowd 3
  5. Verify that the NetFlow packets are being sent by the mgmt1 IP:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
    interfaces=[any]
    filters=[udp and port 2055]
    8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188
    23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    ^C
    3 packets received by filter
    0 packets dropped by kernel
  6. On the secondary device (FortiGate B), change the priority so that it becomes the primary:
    (global) # config system ha
        set priority 250
    end
  7. Verify the NetFlow status on FortiGate A, which is using the new primary unit's mgmt1 IP:
    (global) # diagnose test application sflowd 3
  8. Verify that the NetFlow packets use the new source IP on FortiGate B:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
    interfaces=[any]
    filters=[udp and port 2055]
    7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140
    ^C
    3 packets received by filter
    0 packets dropped by kernel