Source interface setting for NetFlow data
NetFlow data can be routed over the HA management interface when the ha-direct
option is enabled. The secondary unit does not send out any flow data whether it is running in A-A or A-P.
To route NetFlow data over the HA management interface:
- On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
(global) # config system ha set group-name "test-ha" set mode a-p set password ENC set hbdev "port6" 50 set hb-interval 4 set hb-lost-threshold 10 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "mgmt1" next end set override enable set priority 200 set ha-direct enable end
(global) # config system interface edit "mgmt1" set ip 10.6.30.111 255.255.255.0 set allowaccess ping https ssh http telnet fgfm set type physical set dedicated-to management set role lan set snmp-index 1 next end
- On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
(global) # config system ha set group-name "test-ha" set mode a-p set password ENC set hbdev "port6" 50 set hb-interval 4 set hb-lost-threshold 10 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "mgmt1" next end set override enable set priority 100 set ha-direct enable end
(global) # config system interface edit "mgmt1" set ip 10.6.30.112 255.255.255.0 set allowaccess ping https ssh http telnet fgfm set type physical set dedicated-to management set role lan set snmp-index 1 next end
- On the primary unit (FortiGate A), configure the NetFlow setting:
(global) # config system netflow set collector-ip 10.6.30.59 end
When the
ha-direct
option is enabled inconfig system ha
, FortiOS is no longer allowed toset source-ip
inconfig system netflow
. - Verify that NetFlow uses the mgmt1 IP:
(global) # diagnose test application sflowd 3
- Verify that the NetFlow packets are being sent by the mgmt1 IP:
(vdom1) # diagnose sniffer packet any 'udp and port 2055' 4 interfaces=[any] filters=[udp and port 2055] 8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60 23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188 23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60 ^C 3 packets received by filter 0 packets dropped by kernel
- On the secondary device (FortiGate B), change the priority so that it becomes the primary:
(global) # config system ha set priority 250 end
- Verify the NetFlow status on FortiGate A, which is using the new primary unit's mgmt1 IP:
(global) # diagnose test application sflowd 3
- Verify that the NetFlow packets use the new source IP on FortiGate B:
(vdom1) # diagnose sniffer packet any 'udp and port 2055' 4 interfaces=[any] filters=[udp and port 2055] 7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60 22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60 29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140 ^C 3 packets received by filter 0 packets dropped by kernel