Routing NetFlow data over the HA management interface
In an HA environment, the ha-direct
option allows data from services such as syslog, FortiAnalyzer, SNMP, and NetFlow to be routed over the outgoing interface.
The following example shows how NetFlow data can be routed over the HA management interface mgmt1.
To route NetFlow data over the HA management interface:
-
On the primary unit (FortiGate A), configure the HA and mgmt1 interface settings:
(global) # config system ha set group-name "test-ha" set mode a-p set password ********* set hbdev "port6" 50 set hb-interval 4 set hb-lost-threshold 10 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "mgmt1" next end set override enable set priority 200 set ha-direct enable end
(global) # config system interface edit "mgmt1" set ip 10.6.30.111 255.255.255.0 set allowaccess ping https ssh http telnet fgfm set type physical set dedicated-to management set role lan set snmp-index 1 next end
-
On the secondary unit (FortiGate B), configure the HA and mgmt1 interface settings:
(global) # config system ha set group-name "test-ha" set mode a-p set password ********* set hbdev "port6" 50 set hb-interval 4 set hb-lost-threshold 10 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "mgmt1" next end set override enable set priority 100 set ha-direct enable end
(global) # config system interface edit "mgmt1" set ip 10.6.30.112 255.255.255.0 set allowaccess ping https ssh http telnet fgfm set type physical set dedicated-to management set role lan set snmp-index 1 next end
-
On the primary unit (FortiGate A), configure the NetFlow setting:
(global) # config system netflow set collector-ip 10.6.30.59 end
-
Verify that NetFlow uses the mgmt1 IP:
(global) # diagnose test application sflowd 3
-
Verify that the NetFlow packets are being sent by the mgmt1 IP:
(vdom1) # diagnose sniffer packet any 'udp and port 2055' 4 interfaces=[any] filters=[udp and port 2055] 8.397265 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60 23.392175 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 188 23.392189 mgmt1 out 10.6.30.111.1992 -> 10.6.30.59.2055: udp 60 ... 3 packets received by filter 0 packets dropped by kernel
-
On the secondary device (FortiGate B), change the priority so that it becomes the primary:
(global) # config system ha set priority 250 end
-
Verify the NetFlow status on FortiGate A, which is using the new primary's mgmt1 IP:
(global) # diagnose test application sflowd 3
-
Verify that the NetFlow packets use the new source IP on FortiGate B:
(vdom1) # diagnose sniffer packet any 'udp and port 2055' 4 interfaces=[any] filters=[udp and port 2055] 7.579574 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60 22.581830 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 60 29.038336 mgmt1 out 10.6.30.112.3579 -> 10.6.30.59.2055: udp 1140 ^C 3 packets received by filter 0 packets dropped by kernel