Fortinet black logo

Administration Guide

Routing NetFlow data over the HA management interface

Routing NetFlow data over the HA management interface

In an HA environment, the ha-direct option allows data from services such as syslog, FortiAnalyzer, SNMP, and NetFlow to be routed over the outgoing interface.

The following example shows how NetFlow data can be routed over the HA management interface mgmt1.

To route NetFlow data over the HA management interface:
  1. On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password *********
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 200
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.111 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  2. On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password *********
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 100
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.112 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  3. On the primary unit (FortiGate A), configure the NetFlow setting:
    (global) # config system netflow
        set collector-ip 10.6.30.59
    end
  4. Verify that NetFlow uses the mgmt1 IP:
    (global) # diagnose test application sflowd 3
  5. Verify that the NetFlow packets are being sent by the mgmt1 IP:
    (vdom1) # diagnose test application sflowd 3
    interfaces=[any]
    filters=[udp and port 2055]
    8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188
    23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    ...
    3 packets received by filter
    0 packets dropped by kernel
  6. On the secondary device (FortiGate B), change the priority so that it becomes the primary:
    (global) # config system ha
        set priority 250
    end
  7. Verify the NetFlow status on FortiGate A, which is using the new primary's mgmt1 IP:
    (global) # diagnose test application sflowd 3
  8. Verify that the NetFlow packets use the new source IP on FortiGate B:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
    interfaces=[any]
    filters=[udp and port 2055]
    7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140
    ^C
    3 packets received by filter
    0 packets dropped by kernel

Routing NetFlow data over the HA management interface

In an HA environment, the ha-direct option allows data from services such as syslog, FortiAnalyzer, SNMP, and NetFlow to be routed over the outgoing interface.

The following example shows how NetFlow data can be routed over the HA management interface mgmt1.

To route NetFlow data over the HA management interface:
  1. On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password *********
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 200
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.111 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  2. On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
    (global) # config system ha
        set group-name "test-ha"
        set mode a-p
        set password *********
        set hbdev "port6" 50
        set hb-interval 4
        set hb-lost-threshold 10
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt1"
            next
        end
        set override enable
        set priority 100
        set ha-direct enable
    end
    (global) # config system interface
        edit "mgmt1"
            set ip 10.6.30.112 255.255.255.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set dedicated-to management
            set role lan
            set snmp-index 1
        next
    end
  3. On the primary unit (FortiGate A), configure the NetFlow setting:
    (global) # config system netflow
        set collector-ip 10.6.30.59
    end
  4. Verify that NetFlow uses the mgmt1 IP:
    (global) # diagnose test application sflowd 3
  5. Verify that the NetFlow packets are being sent by the mgmt1 IP:
    (vdom1) # diagnose test application sflowd 3
    interfaces=[any]
    filters=[udp and port 2055]
    8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188
    23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60
    ...
    3 packets received by filter
    0 packets dropped by kernel
  6. On the secondary device (FortiGate B), change the priority so that it becomes the primary:
    (global) # config system ha
        set priority 250
    end
  7. Verify the NetFlow status on FortiGate A, which is using the new primary's mgmt1 IP:
    (global) # diagnose test application sflowd 3
  8. Verify that the NetFlow packets use the new source IP on FortiGate B:
    (vdom1) # diagnose sniffer packet any 'udp and port 2055' 4
    interfaces=[any]
    filters=[udp and port 2055]
    7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60
    29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140
    ^C
    3 packets received by filter
    0 packets dropped by kernel