Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.9 Administration Guide
    7.2.9
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Allow multiple Netflow collectors

    Allow multiple Netflow collectors

    FortiOS can be configured with a maximum of six NetFlow collectors. This also applies to multi-VDOM environments where a maximum of six NetFlow collectors can be used globally or on a per-VDOMs basis. This feature enables up to a maximum of six unique parallel NetFlow streams or transmissions per NetFlow sample to six different NetFlow collectors. The NetFlow collector configuration can only be configured in the CLI.

    config system {netflow | vdom-netflow}
    config collectors
        edit <id>
            set collector-ip <IP address>
            set collector-port <port>
            set source-ip <IP address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
    collector-ip Enter the IPv4 or IPv6 address of the NetFlow collector that NetFlow agents added to interfaces in this VDOM send NetFlow datagrams to.
    collector-port Enter the UDP port number used for sending NetFlow datagrams; only configure if it is required by the NetFlow collector or network configuration (0 - 65535, default = 6343).
    source-ip Enter the source IPv4 or IPv6 address for the NetFlow agent.
    interface-select-method

    Specify how to select the outgoing interface to reach the server.

    • auto: Set the outgoing interface automatically.

    • sdwan: Set the outgoing interface by SD-WAN or policy routing rules.

    • specify: Set the outgoing interface manually.
    interface <interface> Enter the outgoing interface to reach the server.
    Note

    If the interface-select-method is set to auto, the outgoing interface that is used to send the sampled NetFlow traffic to the NetFlow collector is decided by the routing table lookup.

    Example 1: Multiple NetFlow collectors in a non-VDOM environment

    In this example, six NetFlow collectors are configured in a non-VDOM environment with NetFlow sampling on the port1 interface.

    To configure multiple NetFlow collectors:

    1. Configure the NetFlow collectors:

      config system netflow
   config collectors
   set active-flow-timeout 60
   set template-tx-timeout 60
        edit 1
            set collector-ip 172.16.200.155
            set collector-port 2055
            set source-ip 172.16.200.6
            set interface-select-method specify
            set interface "port1"
        next
        edit 2
            set collector-ip 10.1.100.59
            set collector-port 2056
            set source-ip 10.1.100.6
            set interface-select-method specify
            set interface "port2"
        next
        edit 3
            set collector-ip 172.18.60.80
            set collector-port 2057
            set interface-select-method specify
            set interface "port1"
        next
        edit 4
            set collector-ip "172.18.60.1"
            set collector-port 2058
        next
        edit 5
            set collector-ip "172.18.60.3"
            set collector-port 2059
        next
        edit 6
            set collector-ip "172.18.60.4"
            set collector-port 2060
        next
    end
end

    2. Configure NetFlow sampling on port1:

      config system interface
    edit port1
        set netflow-sampler both
    next
end

    3. Verify the NetFlow diagnostics.

      1. Verify the NetFlow configuration status:

        # diagnose test application sflowd 3

===== Netflow Vdom Configuration =====
Global collector(s) active-timeout(seconds):60 inactive-timeout(seconds):15
    Collector id:1: 172.16.200.155[2055] source IP:172.16.200.6
    Collector id:2: 10.1.100.59[2056] source IP:10.1.100.6
    Collector id:3: 172.18.60.80[2057] source IP:
    Collector id:4: 172.18.60.1[2058] source IP:
    Collector id:5: 172.18.60.3[2059] source IP:
    Collector id:6: 172.18.60.4[2060] source IP:
____ vdom: root, index=0, is master, collector: disabled (use global config) (mgmt vdom)
   |_ coll_ip:172.16.200.155:2056,src_ip:172.16.200.6
   |_ coll_ip:10.1.100.59:2057,src_ip:10.1.100.6
   |_ coll_ip:172.18.60.80:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.1:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.3:2059,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.4:2060,src_ip:172.16.200.6
   |_ seq_num:13 pkts/time to next template: 16/29
   |_ exported: Bytes:2533746, Packets:3911, Sessions:70 Flows:70
   |_ active_intf: 1
   |____ interface:port1 sample_direction:both device_index:9 snmp_index:3

      2. Verify the sampled NetFlow traffic packet capture:

        # diagnose sniffer packet any 'udp and port 2056 or 2057 or 2058' 4

filters=[udp and port 2056 or 2057 or 2058]
5.717060 port1 out 172.16.200.6.2472 -> 172.16.200.155.2055: udp 60   
5.717068 port2 out 10.1.100.6.2472 -> 10.1.100.59.2056: udp 60   
5.717075 port1 out 172.16.200.6.2472 -> 172.18.60.80.2057: udp 60   
5.717078 port1 out 172.16.200.6.2472 -> 172.18.60.1.2058: udp 60   
5.717081 port1 out 172.16.200.6.2472 -> 172.18.60.3.2059: udp 60   
5.717085 port1 out 172.16.200.6.2472 -> 172.18.60.4.2060: udp 60

    Example 2: Multiple NetFlow collectors in a multi-VDOM environment

    In this example, six NetFlow collectors are configured in a multi-VDOM environment globally and per VDOM. NetFlow sampling is on the port1 and port4 interfaces.

    Note

    Please note it is not mandatory to set up per-VDOM NetFlow collectors in a multi-vdom environment. However, if you don’t enable per-VDOM collectors, the settings of the global NetFlow Collector will be used instead.
    To configure multiple NetFlow collectors:

    1. Configure the global NetFlow collectors:

      config system netflow
   config collectors
   set active-flow-timeout 60
   set template-tx-timeout 60
        edit 1
            set collector-ip 172.16.200.155
            set collector-port 2055
            set source-ip 172.16.200.6
            set interface-select-method specify
            set interface "port1"
        next
        edit 2
            set collector-ip 10.1.100.59
            set collector-port 2056
            set source-ip 10.1.100.6
            set interface-select-method specify
            set interface "port2"
        next
        edit 3
            set collector-ip 172.18.60.80
            set collector-port 2057
            set interface-select-method specify
            set interface "port1"
        next
        edit 4
            set collector-ip "172.18.60.1"
            set collector-port 2058
        next
        edit 5
            set collector-ip "172.18.60.3"
            set collector-port 2059
        next
        edit 6
            set collector-ip "172.18.60.4"
            set collector-port 2060
        next
    end
end

    2. Configure the per-VDOM NetFlow collectors:

      config system vdom-netflow
    set vdom-netflow enable
    config collectors
        edit 1
            set collector-ip "172.10.100.101"
            set collector-port 2059
        next
        edit 2
            set collector-ip "172.10.100.102"
            set collector-port 2060
        next
        edit 3
            set collector-ip "172.10.100.103"
            set collector-port 2061
        next
        edit 4
            set collector-ip "172.10.100.104"
            set collector-port 2062
        next
        edit 5
            set collector-ip "172.10.100.105"
            set collector-port 2063
        next
        edit 6
            set collector-ip "172.10.100.106"
            set collector-port 2064
        next
    end
end

    3. Configure NetFlow sampling on port1 and port4:

      config system interface
    edit port1
        set netflow-sampler both
    next
    edit port4
        set netflow-sampler both
    next
end
      Note

      In a multi-VDOM environment, ensure the interface selected for NetFlow sampling is in the same VDOM as the per-VDOM NetFlow collector. For global NetFlow collectors, the interface selected for NetFlow sampling should be in the management VDOM.

    4. Verify the NetFlow diagnostics.

      1. Verify the NetFlow configuration status:

        # diagnose test application sflowd 3

===== Netflow Vdom Configuration =====
Global collector(s) active-timeout(seconds):60 inactive-timeout(seconds):15
    Collector id:1: 172.16.200.155[2055] source IP:172.16.200.6
    Collector id:2: 10.1.100.59[2056] source IP:10.1.100.6
    Collector id:3: 172.18.60.80[2057] source IP:
    Collector id:4: 172.18.60.1[2058] source IP:
    Collector id:5: 172.18.60.3[2059] source IP:
    Collector id:6: 172.18.60.4[2060] source IP:
____ vdom: root, index=0, is master, collector: disabled (use global config) (mgmt vdom)
   |_ coll_ip:172.16.200.155:2056,src_ip:172.16.200.6
   |_ coll_ip:10.1.100.59:2057,src_ip:10.1.100.6
   |_ coll_ip:172.18.60.80:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.1:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.3:2059,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.4:2060,src_ip:172.16.200.6
   |_ seq_num:13 pkts/time to next template: 16/29
   |_ exported: Bytes:2533746, Packets:3911, Sessions:70 Flows:70
   |_ active_intf: 1
   |____ interface:port1 sample_direction:both device_index:9 snmp_index:3
____ vdom: vdom1, index=1, is master, collector: enabled
   |_ coll_ip:172.10.100.101:2059,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.102:2060,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.103:2061,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.104:2062,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.105:2063,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.106:2064,src_ip:20.1.100.111
   |_ seq_num:27 pkts/time to next template: 15/18
   |_ exported: Bytes:5040, Packets:60, Sessions:6 Flows:6
   |_ active_intf: 1
   |____ interface:port4 sample_direction:both device_index:12 snmp_index:6

      2. Verify the sampled NetFlow traffic packet capture:

        # diagnose sniffer packet any 'udp and port 2059 or 2060 or 2061 or 2062 or 2063 or 2064' 4

filters=[udp and port 2059 or 2060 or 2061 or 2062 or 2063 or 2064]
7.005812 port4 out 20.1.100.111.2472 -> 172.10.100.101.2059: udp 60
7.005821 port4 out 20.1.100.111.2472 -> 172.10.100.102.2060: udp 60
7.005826 port4 out 20.1.100.111.2472 -> 172.10.100.103.2061: udp 60
7.005830 port4 out 20.1.100.111.2472 -> 172.10.100.104.2062: udp 60
7.005834 port4 out 20.1.100.111.2472 -> 172.10.100.105.2063: udp 60
7.005838 port4 out 20.1.100.111.2472 -> 172.10.100.106.2064: udp 60
    Previous
    Next

    Allow multiple Netflow collectors

    Allow multiple Netflow collectors

    FortiOS can be configured with a maximum of six NetFlow collectors. This also applies to multi-VDOM environments where a maximum of six NetFlow collectors can be used globally or on a per-VDOMs basis. This feature enables up to a maximum of six unique parallel NetFlow streams or transmissions per NetFlow sample to six different NetFlow collectors. The NetFlow collector configuration can only be configured in the CLI.

    config system {netflow | vdom-netflow}
    config collectors
        edit <id>
            set collector-ip <IP address>
            set collector-port <port>
            set source-ip <IP address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
    collector-ip Enter the IPv4 or IPv6 address of the NetFlow collector that NetFlow agents added to interfaces in this VDOM send NetFlow datagrams to.
    collector-port Enter the UDP port number used for sending NetFlow datagrams; only configure if it is required by the NetFlow collector or network configuration (0 - 65535, default = 6343).
    source-ip Enter the source IPv4 or IPv6 address for the NetFlow agent.
    interface-select-method

    Specify how to select the outgoing interface to reach the server.

    • auto: Set the outgoing interface automatically.

    • sdwan: Set the outgoing interface by SD-WAN or policy routing rules.

    • specify: Set the outgoing interface manually.
    interface <interface> Enter the outgoing interface to reach the server.
    Note

    If the interface-select-method is set to auto, the outgoing interface that is used to send the sampled NetFlow traffic to the NetFlow collector is decided by the routing table lookup.

    Example 1: Multiple NetFlow collectors in a non-VDOM environment

    In this example, six NetFlow collectors are configured in a non-VDOM environment with NetFlow sampling on the port1 interface.

    To configure multiple NetFlow collectors:

    1. Configure the NetFlow collectors:

      config system netflow
   config collectors
   set active-flow-timeout 60
   set template-tx-timeout 60
        edit 1
            set collector-ip 172.16.200.155
            set collector-port 2055
            set source-ip 172.16.200.6
            set interface-select-method specify
            set interface "port1"
        next
        edit 2
            set collector-ip 10.1.100.59
            set collector-port 2056
            set source-ip 10.1.100.6
            set interface-select-method specify
            set interface "port2"
        next
        edit 3
            set collector-ip 172.18.60.80
            set collector-port 2057
            set interface-select-method specify
            set interface "port1"
        next
        edit 4
            set collector-ip "172.18.60.1"
            set collector-port 2058
        next
        edit 5
            set collector-ip "172.18.60.3"
            set collector-port 2059
        next
        edit 6
            set collector-ip "172.18.60.4"
            set collector-port 2060
        next
    end
end

    2. Configure NetFlow sampling on port1:

      config system interface
    edit port1
        set netflow-sampler both
    next
end

    3. Verify the NetFlow diagnostics.

      1. Verify the NetFlow configuration status:

        # diagnose test application sflowd 3

===== Netflow Vdom Configuration =====
Global collector(s) active-timeout(seconds):60 inactive-timeout(seconds):15
    Collector id:1: 172.16.200.155[2055] source IP:172.16.200.6
    Collector id:2: 10.1.100.59[2056] source IP:10.1.100.6
    Collector id:3: 172.18.60.80[2057] source IP:
    Collector id:4: 172.18.60.1[2058] source IP:
    Collector id:5: 172.18.60.3[2059] source IP:
    Collector id:6: 172.18.60.4[2060] source IP:
____ vdom: root, index=0, is master, collector: disabled (use global config) (mgmt vdom)
   |_ coll_ip:172.16.200.155:2056,src_ip:172.16.200.6
   |_ coll_ip:10.1.100.59:2057,src_ip:10.1.100.6
   |_ coll_ip:172.18.60.80:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.1:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.3:2059,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.4:2060,src_ip:172.16.200.6
   |_ seq_num:13 pkts/time to next template: 16/29
   |_ exported: Bytes:2533746, Packets:3911, Sessions:70 Flows:70
   |_ active_intf: 1
   |____ interface:port1 sample_direction:both device_index:9 snmp_index:3

      2. Verify the sampled NetFlow traffic packet capture:

        # diagnose sniffer packet any 'udp and port 2056 or 2057 or 2058' 4

filters=[udp and port 2056 or 2057 or 2058]
5.717060 port1 out 172.16.200.6.2472 -> 172.16.200.155.2055: udp 60   
5.717068 port2 out 10.1.100.6.2472 -> 10.1.100.59.2056: udp 60   
5.717075 port1 out 172.16.200.6.2472 -> 172.18.60.80.2057: udp 60   
5.717078 port1 out 172.16.200.6.2472 -> 172.18.60.1.2058: udp 60   
5.717081 port1 out 172.16.200.6.2472 -> 172.18.60.3.2059: udp 60   
5.717085 port1 out 172.16.200.6.2472 -> 172.18.60.4.2060: udp 60

    Example 2: Multiple NetFlow collectors in a multi-VDOM environment

    In this example, six NetFlow collectors are configured in a multi-VDOM environment globally and per VDOM. NetFlow sampling is on the port1 and port4 interfaces.

    Note

    Please note it is not mandatory to set up per-VDOM NetFlow collectors in a multi-vdom environment. However, if you don’t enable per-VDOM collectors, the settings of the global NetFlow Collector will be used instead.
    To configure multiple NetFlow collectors:

    1. Configure the global NetFlow collectors:

      config system netflow
   config collectors
   set active-flow-timeout 60
   set template-tx-timeout 60
        edit 1
            set collector-ip 172.16.200.155
            set collector-port 2055
            set source-ip 172.16.200.6
            set interface-select-method specify
            set interface "port1"
        next
        edit 2
            set collector-ip 10.1.100.59
            set collector-port 2056
            set source-ip 10.1.100.6
            set interface-select-method specify
            set interface "port2"
        next
        edit 3
            set collector-ip 172.18.60.80
            set collector-port 2057
            set interface-select-method specify
            set interface "port1"
        next
        edit 4
            set collector-ip "172.18.60.1"
            set collector-port 2058
        next
        edit 5
            set collector-ip "172.18.60.3"
            set collector-port 2059
        next
        edit 6
            set collector-ip "172.18.60.4"
            set collector-port 2060
        next
    end
end

    2. Configure the per-VDOM NetFlow collectors:

      config system vdom-netflow
    set vdom-netflow enable
    config collectors
        edit 1
            set collector-ip "172.10.100.101"
            set collector-port 2059
        next
        edit 2
            set collector-ip "172.10.100.102"
            set collector-port 2060
        next
        edit 3
            set collector-ip "172.10.100.103"
            set collector-port 2061
        next
        edit 4
            set collector-ip "172.10.100.104"
            set collector-port 2062
        next
        edit 5
            set collector-ip "172.10.100.105"
            set collector-port 2063
        next
        edit 6
            set collector-ip "172.10.100.106"
            set collector-port 2064
        next
    end
end

    3. Configure NetFlow sampling on port1 and port4:

      config system interface
    edit port1
        set netflow-sampler both
    next
    edit port4
        set netflow-sampler both
    next
end
      Note

      In a multi-VDOM environment, ensure the interface selected for NetFlow sampling is in the same VDOM as the per-VDOM NetFlow collector. For global NetFlow collectors, the interface selected for NetFlow sampling should be in the management VDOM.

    4. Verify the NetFlow diagnostics.

      1. Verify the NetFlow configuration status:

        # diagnose test application sflowd 3

===== Netflow Vdom Configuration =====
Global collector(s) active-timeout(seconds):60 inactive-timeout(seconds):15
    Collector id:1: 172.16.200.155[2055] source IP:172.16.200.6
    Collector id:2: 10.1.100.59[2056] source IP:10.1.100.6
    Collector id:3: 172.18.60.80[2057] source IP:
    Collector id:4: 172.18.60.1[2058] source IP:
    Collector id:5: 172.18.60.3[2059] source IP:
    Collector id:6: 172.18.60.4[2060] source IP:
____ vdom: root, index=0, is master, collector: disabled (use global config) (mgmt vdom)
   |_ coll_ip:172.16.200.155:2056,src_ip:172.16.200.6
   |_ coll_ip:10.1.100.59:2057,src_ip:10.1.100.6
   |_ coll_ip:172.18.60.80:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.1:2058,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.3:2059,src_ip:172.16.200.6
   |_ coll_ip:172.18.60.4:2060,src_ip:172.16.200.6
   |_ seq_num:13 pkts/time to next template: 16/29
   |_ exported: Bytes:2533746, Packets:3911, Sessions:70 Flows:70
   |_ active_intf: 1
   |____ interface:port1 sample_direction:both device_index:9 snmp_index:3
____ vdom: vdom1, index=1, is master, collector: enabled
   |_ coll_ip:172.10.100.101:2059,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.102:2060,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.103:2061,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.104:2062,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.105:2063,src_ip:20.1.100.111
   |_ coll_ip:172.10.100.106:2064,src_ip:20.1.100.111
   |_ seq_num:27 pkts/time to next template: 15/18
   |_ exported: Bytes:5040, Packets:60, Sessions:6 Flows:6
   |_ active_intf: 1
   |____ interface:port4 sample_direction:both device_index:12 snmp_index:6

      2. Verify the sampled NetFlow traffic packet capture:

        # diagnose sniffer packet any 'udp and port 2059 or 2060 or 2061 or 2062 or 2063 or 2064' 4

filters=[udp and port 2059 or 2060 or 2061 or 2062 or 2063 or 2064]
7.005812 port4 out 20.1.100.111.2472 -> 172.10.100.101.2059: udp 60
7.005821 port4 out 20.1.100.111.2472 -> 172.10.100.102.2060: udp 60
7.005826 port4 out 20.1.100.111.2472 -> 172.10.100.103.2061: udp 60
7.005830 port4 out 20.1.100.111.2472 -> 172.10.100.104.2062: udp 60
7.005834 port4 out 20.1.100.111.2472 -> 172.10.100.105.2063: udp 60
7.005838 port4 out 20.1.100.111.2472 -> 172.10.100.106.2064: udp 60
    Previous
    Next