Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.4.4 Administration Guide
    7.4.4
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    NetFlow

    NetFlow

    NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis. NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the information maintained in the firewall session.

    To configure NetFlow:
    config system netflow
    set active-flow-timeout <integer>
    set inactive-flow-timeout <integer>
    set template-tx-timeout <integer>
    set template-tx-counter <integer>
    config collectors
        edit <id>
            set collector-ip <IP address>
            set collector-port <port>
            set source-ip <IP address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
    Note

    The source-ip-interface and source-ip commands are unavailable for NetFlow configurations when ha-direct is enabled. (See config system ha in the CLI Reference guide).

    The source-ip-interface and source-ip commands are also mutually exclusive; they cannot be used at the same time, but one or the other can be used together with the interface-select-method command

    active-flow-timeout <integer>

    Timeout to report active flows, in seconds (60 - 3600, default = 1800).

    inactive-flow-timeout <integer>

    Timeout for periodic report of finished flows, in seconds (10 - 600, default = 15).

    template-tx-timeout <integer>

    Timeout for periodic template flowset transmission, in seconds (60 - 86400, default = 1800).

    template-tx-counter <integer>

    Counter of flowset records, before resending a template flowset record (10 - 6000, default = 20).

    collector-ip <ip>

    Collector IPv4 or IPv6 address.

    collector-port <port>

    NetFlow collector port number (0 - 65535).

    source-ip <ip>

    Source IPv4 or IPv6 address, for communication with the NetFlow agent.

    interface-select-method {auto | sdwan | specify}

    Routing of the NetFlow messages is determined by the selected method. If neither source-ip-interface nor source-ip is configured, then the source address of the message is the IP address of the interface selected by the interface select method.

    See Local out traffic for details.

    source-ip-interface <name>

    Utilize the IP address of the specified interface as the source when sending out the NetFlow messages. Routing of the messages does not change based on this setting.

    The source-ip-interface is unavailable for NetFlow configurations when FortiGate is in transparent VDOM mode.

    interface <interface>

    The outgoing interface to reach the server.
    To configure NetFlow in a specific, non-management VDOM:
    config vdom
    edit <vdom>
        config system vdom-netflow
            set vdom-netflow enable
            config collectors
                edit <id>
                    set collector-ip <IP address>
                    set collector-port <port>
                    set source-ip <IP address>
                    set interface-select-method {auto | sdwan | specify}
                    set interface <interface>
                next
            end
        end
    next
end
    Note

    The vdom-netflow command is only available for non-management VDOMs. The management VDOM utilizes the global NetFlow settings.
    To configure a NetFlow sampler on an interface:
    config system interface
    edit <interface>
        set netflow-sampler {disable | tx | rx | both}
    next
end

    disable

    Disable the NetFlow protocol on this interface (default).

    tx

    Monitor transmitted traffic on this interface.

    rx

    Monitor received traffic on this interface.

    both

    Monitor transmitted/received traffic on this interface.

    Verification and troubleshooting

    If data are not seen on the NetFlow collector after it has been configured, use the following sniffer commands to verify if the FortiGate and the collector are communicating:

    • By collector port:

      # diagnose sniffer packet 'port <collector-port>'  6 0 a

    • By collector IP address:

      # diagnose sniffer packet 'host <collector-ip>' 6 0 a

    NetFlow uses the sflow daemon. The current NetFlow configuration can be viewed using test level 3 or 4:

    # diagnose test application sflowd 3
    # diagnose test application sflowd 4
Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max count:71950
    Previous
    Next

    NetFlow

    NetFlow

    NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis. NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the information maintained in the firewall session.

    To configure NetFlow:
    config system netflow
    set active-flow-timeout <integer>
    set inactive-flow-timeout <integer>
    set template-tx-timeout <integer>
    set template-tx-counter <integer>
    config collectors
        edit <id>
            set collector-ip <IP address>
            set collector-port <port>
            set source-ip <IP address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
    Note

    The source-ip-interface and source-ip commands are unavailable for NetFlow configurations when ha-direct is enabled. (See config system ha in the CLI Reference guide).

    The source-ip-interface and source-ip commands are also mutually exclusive; they cannot be used at the same time, but one or the other can be used together with the interface-select-method command

    active-flow-timeout <integer>

    Timeout to report active flows, in seconds (60 - 3600, default = 1800).

    inactive-flow-timeout <integer>

    Timeout for periodic report of finished flows, in seconds (10 - 600, default = 15).

    template-tx-timeout <integer>

    Timeout for periodic template flowset transmission, in seconds (60 - 86400, default = 1800).

    template-tx-counter <integer>

    Counter of flowset records, before resending a template flowset record (10 - 6000, default = 20).

    collector-ip <ip>

    Collector IPv4 or IPv6 address.

    collector-port <port>

    NetFlow collector port number (0 - 65535).

    source-ip <ip>

    Source IPv4 or IPv6 address, for communication with the NetFlow agent.

    interface-select-method {auto | sdwan | specify}

    Routing of the NetFlow messages is determined by the selected method. If neither source-ip-interface nor source-ip is configured, then the source address of the message is the IP address of the interface selected by the interface select method.

    See Local out traffic for details.

    source-ip-interface <name>

    Utilize the IP address of the specified interface as the source when sending out the NetFlow messages. Routing of the messages does not change based on this setting.

    The source-ip-interface is unavailable for NetFlow configurations when FortiGate is in transparent VDOM mode.

    interface <interface>

    The outgoing interface to reach the server.
    To configure NetFlow in a specific, non-management VDOM:
    config vdom
    edit <vdom>
        config system vdom-netflow
            set vdom-netflow enable
            config collectors
                edit <id>
                    set collector-ip <IP address>
                    set collector-port <port>
                    set source-ip <IP address>
                    set interface-select-method {auto | sdwan | specify}
                    set interface <interface>
                next
            end
        end
    next
end
    Note

    The vdom-netflow command is only available for non-management VDOMs. The management VDOM utilizes the global NetFlow settings.
    To configure a NetFlow sampler on an interface:
    config system interface
    edit <interface>
        set netflow-sampler {disable | tx | rx | both}
    next
end

    disable

    Disable the NetFlow protocol on this interface (default).

    tx

    Monitor transmitted traffic on this interface.

    rx

    Monitor received traffic on this interface.

    both

    Monitor transmitted/received traffic on this interface.

    Verification and troubleshooting

    If data are not seen on the NetFlow collector after it has been configured, use the following sniffer commands to verify if the FortiGate and the collector are communicating:

    • By collector port:

      # diagnose sniffer packet 'port <collector-port>'  6 0 a

    • By collector IP address:

      # diagnose sniffer packet 'host <collector-ip>' 6 0 a

    NetFlow uses the sflow daemon. The current NetFlow configuration can be viewed using test level 3 or 4:

    # diagnose test application sflowd 3
    # diagnose test application sflowd 4
Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max count:71950
    Previous
    Next