ElastiFlow is a NetFlow aggregation tool for collecting and visualizing network flow data from multiple sources, networks, and devices. The following sections describe how to deploy ElastiFlow to FortiMonitor using a VMware OVF image.
The following list provides the minimum Linux VM requirements for an ElastiFlow integration deployment:
At least 8GB of memory
50 GB of available SSD space
Port 5601 open
Note: The Elasticsearch Curator automatically purges data when the available disk space is less than 10GB. Data older than 14 days is also cleared out.
Note: The zip file is approximately 2.7 GB in size.
In VMWare vSphere or ESXi, provision a new VM. Use the method Deploy a virtual machine from an OVF or OVA file.
Note: A Disk Not Found error may be displayed. You can ignore this warning and proceed with the installation.
Boot the new VM and then log in using the following credentials:
Set a new password.
Important note: Do not lose this password. The password can not be recovered. Without it, there is no way to access the VM.
Enter the following command to enable the FortiMonitor Agent to report on ElastiFlow performance and resource usage:
sudo efconfig enable-agent CUSTOMER_KEY
Note: To obtain your customer key, select your avatar then select My Account.
The network configuration defaults to DHCP. DHCP is helpful to ease getting the VM online, but because DHCP address leases are not stable in the long term, it is advisable to change to static addressing. The netplan is in /etc/netplan/00-installer-config.yaml and may be edited in root mode using an editor such as nano (See example file below). The command sudo netplan apply will enable the new settings.
Once installed, point your Netflow data from your network devices to the appliance and it will start populating.
Visit http://<IP>:5601 to access the Appliance Main Page.
Where IP is the IP address of the machine where you installed the ElastiFlow integration.
Go to the dashboard and look at Overview Dashboard to verify that the dashboard exists.
Note: An Error in visualization error will occur if there is no data to populate the dashboard.
The following are the IPv4 protocols and their corresponding ports the appliance will be listening on:
Netflow UDP 2055
Note: After installing ElastiFlow, contact support to enable linking from your network devices in the FortiMonitor Control Panel to the ElastiFlow interface.
Sample /etc/netplan/00-installer-config.yaml file configured for static addressing. Use IPv4 addresses and masks appropriate for your environment. This file is sensitive to indentation:
addresses: [10.0.0.254, 22.214.171.124, 126.96.36.199]
If you want to get provider and location data, enable geo-location data using the MaxMind GeoIP database:
efconfig enable-geoip LICENSE-KEY
Note: Generate a license by going to https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en.
While enabling GeoIP automatically downloads the database, you have the option to force a refresh at any time. Enter the following command to download the latest MaxMind GeoIP databases: