Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

Source interface setting for NetFlow data

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:78018
Download PDF

Source interface setting for NetFlow data

NetFlow data can be routed over the HA management interface when the ha-direct option is enabled. The secondary unit does not send out any flow data whether it is running in A-A or A-P.

To route NetFlow data over the HA management interface:
  1. On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
    (global) # config system ha
    set group-name "test-ha"
    set mode a-p
    set password ENC
    set hbdev "port6" 50
    set hb-interval 4
    set hb-lost-threshold 10
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "mgmt1"
        next
    end
    set override enable
    set priority 200
    set ha-direct enable
end
    (global) # config system interface
    edit "mgmt1"
        set ip 10.6.30.111 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set dedicated-to management
        set role lan
        set snmp-index 1
    next
end
  2. On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
    (global) # config system ha
    set group-name "test-ha"
    set mode a-p
    set password ENC
    set hbdev "port6" 50
    set hb-interval 4
    set hb-lost-threshold 10
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "mgmt1"
        next
    end
    set override enable
    set priority 100
    set ha-direct enable
end
    (global) # config system interface
    edit "mgmt1"
        set ip 10.6.30.112 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set dedicated-to management
        set role lan
        set snmp-index 1
    next
end
  3. On the primary unit (FortiGate A), configure the NetFlow setting:
    (global) # config system netflow
    set collector-ip 10.6.30.59
end

    When the ha-direct option is enabled in config system ha, FortiOS is no longer allowed to set source-ip in config system netflow.

  4. Verify that NetFlow uses the mgmt1 IP:
    (global) # diagnose test application sflowd 3
  5. Verify that the NetFlow packets are being sent by the mgmt1 IP:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
interfaces=[any]
filters=[udp and port 2055]
8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188
23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
^C
3 packets received by filter
0 packets dropped by kernel
  6. On the secondary device (FortiGate B), change the priority so that it becomes the primary:
    (global) # config system ha
    set priority 250
end
  7. Verify the NetFlow status on FortiGate A, which is using the new primary unit's mgmt1 IP:
    (global) # diagnose test application sflowd 3
  8. Verify that the NetFlow packets use the new source IP on FortiGate B:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
interfaces=[any]
filters=[udp and port 2055]
7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140
^C
3 packets received by filter
0 packets dropped by kernel
Previous
Next

Source interface setting for NetFlow data

NetFlow data can be routed over the HA management interface when the ha-direct option is enabled. The secondary unit does not send out any flow data whether it is running in A-A or A-P.

To route NetFlow data over the HA management interface:
  1. On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
    (global) # config system ha
    set group-name "test-ha"
    set mode a-p
    set password ENC
    set hbdev "port6" 50
    set hb-interval 4
    set hb-lost-threshold 10
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "mgmt1"
        next
    end
    set override enable
    set priority 200
    set ha-direct enable
end
    (global) # config system interface
    edit "mgmt1"
        set ip 10.6.30.111 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set dedicated-to management
        set role lan
        set snmp-index 1
    next
end
  2. On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
    (global) # config system ha
    set group-name "test-ha"
    set mode a-p
    set password ENC
    set hbdev "port6" 50
    set hb-interval 4
    set hb-lost-threshold 10
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "mgmt1"
        next
    end
    set override enable
    set priority 100
    set ha-direct enable
end
    (global) # config system interface
    edit "mgmt1"
        set ip 10.6.30.112 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set dedicated-to management
        set role lan
        set snmp-index 1
    next
end
  3. On the primary unit (FortiGate A), configure the NetFlow setting:
    (global) # config system netflow
    set collector-ip 10.6.30.59
end

    When the ha-direct option is enabled in config system ha, FortiOS is no longer allowed to set source-ip in config system netflow.

  4. Verify that NetFlow uses the mgmt1 IP:
    (global) # diagnose test application sflowd 3
  5. Verify that the NetFlow packets are being sent by the mgmt1 IP:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
interfaces=[any]
filters=[udp and port 2055]
8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188
23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
^C
3 packets received by filter
0 packets dropped by kernel
  6. On the secondary device (FortiGate B), change the priority so that it becomes the primary:
    (global) # config system ha
    set priority 250
end
  7. Verify the NetFlow status on FortiGate A, which is using the new primary unit's mgmt1 IP:
    (global) # diagnose test application sflowd 3
  8. Verify that the NetFlow packets use the new source IP on FortiGate B:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
interfaces=[any]
filters=[udp and port 2055]
7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140
^C
3 packets received by filter
0 packets dropped by kernel
Previous
Next