Fortinet black logo

User Guide

24.2.0
24.2.0

NetFlow monitoring

NetFlow monitoring

This article describes the steps on how to enable NetFlow monitoring in FortiMonitor.

  1. To enable NetFlow monitoring, perform the following steps:

  2. From the navigation menu, click Add.

  3. Select NetFlow.

Installation modes

Standalone installer

You can install the NetFlow collector using a VM that will be turned into the NetFlow collector appliance.

Make sure that the VM you are using meets the following requirements before you start enabling NetFlow monitoring:

  • VM requirements

    • A Linux VM that will be turned into the NetFlow collector appliance

    • 1 core processor

    • 2 GB RAM

    • 20 GB disk

  • OS requirements

    • Recent Ubuntu, RedHat, or Debian distribution.

    • Podman must not be installed.

  • NetFlow device must be configured to send flow data

Note: The installer checks to make sure that firewall rules are open, if not you will get a warning to open those to allow flow data in.

To enable firewall access to UDP port 2055 to receive flow packets, run the following command:

iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

Configure the VM that you will use as the NetFlow collector appliance.

  1. SSH into your Linux VM.

  2. Root privileges are need for the next steps. Run the following command:
    $ sudo su –

  3. Enable firewall access to UDP port 2055 to receive flow packets by running:
    iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

  4. Download the installer by running the following command:
    curl -fsSL https://repo.fortimonitor.com/install/netflow/install-fortimonitor-netflow.sh > install-fortimonitor-netflow.sh

  5. (Optional) Run the installer inEstimator mode. This installs the NetFlow estimator and will not register the appliance to FortiMonitor.

  6. Run the installer as root. You can choose any name for the NetFlow appliance:
    bash install-fortimonitor-netflow.sh -customer_key <customer_key> -appliance_name "NetFlow Appliance"

  7. Configure the NetFlow source device.

Virtual appliance

Make sure that the following requirements are met before enabling NetFlow monitoring:

Perform the following steps to download and install the NetFlow collector image:

  1. Download the NetFlow vCollector image for your hypervisor.

  2. After downloading the NetFlow collector image, import it as a virtual machine into your hypervisor. Once your NetFlow vCollector is imported and booted, the VM will go through the normal Linux startup process, finishing with a login prompt.

  3. Log in with username fortimonitor and password fortimonitor.

  4. You will then be prompted to set a new password. Important: Do not lose this password. Without it, there is no way to access the NetFlow vCollector for further updates.

  5. Register the NetFlow vCollector by running the following command as root:

    fortimonitor-netflow register <customer_key> "NetFlow Appliance"

  6. This will connect your NetFlow vCollector to the FortiMonitor cloud and begin syncing data.

  7. Start it by running the following as root:

    fortimonitor-netflow start

  8. To run the estimator, run the following command as root:
    fortimonitor-netflow estimator <cidr-filters-file>

  9. Configure the NetFlow source device.

Configure the NetFlow source device

You must configure your NetFlow source device, in this case a FortiGate, to send flow data to FortiMonitor.

  1. Log in to the NetFlow source device. For more information on how to configure NetFlow in FortiGate, see https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/31620/config-system-netflow.

  2. Configure NetFlow in FortiGate.
    # config system netflow
    set active-flow-timeout 60
    set collector-ip <netflow-collector-ip>
    set collector-port 2055
    end

    Where<netflow-collector-ip> is the IP address of your NetFlow collector appliance.

  3. Enable NetFlow on each interface that you want to monitor traffic for. For example, wan1:
    # config system interface
    edit wan1
    set netflow-sampler both
    end

View the NetFlow dashboard

Log into FortiMonitor then go to Dashboards > NetFlow.


FortiMonitor NetFlow commands

This section describes the commands that can be used with the NetFlow collector appliance.

/usr/bin/fortimonitor-netflow <command>

Command

Description
register <customer_key> Register your device with FortiMonitor.
start Start the container.
restart Restart the container.
stop Stop the container.

upgrade

Upgrade to the latest version of FortiMonitor NetFlow.

status

Show the status of the FortiMonitor NetFlow container.

remove

Remove FortiMonitor NetFlow from your device

netflow-uninstall

  • Stops and removes the NetFlow container and image

  • Uninstall the FM agent

  • Remove Docker volumes

  • Remove the CLI bash script, logs and any other files added during the installation
Previous
Next

NetFlow monitoring

This article describes the steps on how to enable NetFlow monitoring in FortiMonitor.

  1. To enable NetFlow monitoring, perform the following steps:

  2. From the navigation menu, click Add.

  3. Select NetFlow.

Installation modes

Standalone installer

You can install the NetFlow collector using a VM that will be turned into the NetFlow collector appliance.

Make sure that the VM you are using meets the following requirements before you start enabling NetFlow monitoring:

  • VM requirements

    • A Linux VM that will be turned into the NetFlow collector appliance

    • 1 core processor

    • 2 GB RAM

    • 20 GB disk

  • OS requirements

    • Recent Ubuntu, RedHat, or Debian distribution.

    • Podman must not be installed.

  • NetFlow device must be configured to send flow data

Note: The installer checks to make sure that firewall rules are open, if not you will get a warning to open those to allow flow data in.

To enable firewall access to UDP port 2055 to receive flow packets, run the following command:

iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

Configure the VM that you will use as the NetFlow collector appliance.

  1. SSH into your Linux VM.

  2. Root privileges are need for the next steps. Run the following command:
    $ sudo su –

  3. Enable firewall access to UDP port 2055 to receive flow packets by running:
    iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

  4. Download the installer by running the following command:
    curl -fsSL https://repo.fortimonitor.com/install/netflow/install-fortimonitor-netflow.sh > install-fortimonitor-netflow.sh

  5. (Optional) Run the installer inEstimator mode. This installs the NetFlow estimator and will not register the appliance to FortiMonitor.

  6. Run the installer as root. You can choose any name for the NetFlow appliance:
    bash install-fortimonitor-netflow.sh -customer_key <customer_key> -appliance_name "NetFlow Appliance"

  7. Configure the NetFlow source device.

Virtual appliance

Make sure that the following requirements are met before enabling NetFlow monitoring:

Perform the following steps to download and install the NetFlow collector image:

  1. Download the NetFlow vCollector image for your hypervisor.

  2. After downloading the NetFlow collector image, import it as a virtual machine into your hypervisor. Once your NetFlow vCollector is imported and booted, the VM will go through the normal Linux startup process, finishing with a login prompt.

  3. Log in with username fortimonitor and password fortimonitor.

  4. You will then be prompted to set a new password. Important: Do not lose this password. Without it, there is no way to access the NetFlow vCollector for further updates.

  5. Register the NetFlow vCollector by running the following command as root:

    fortimonitor-netflow register <customer_key> "NetFlow Appliance"

  6. This will connect your NetFlow vCollector to the FortiMonitor cloud and begin syncing data.

  7. Start it by running the following as root:

    fortimonitor-netflow start

  8. To run the estimator, run the following command as root:
    fortimonitor-netflow estimator <cidr-filters-file>

  9. Configure the NetFlow source device.

Configure the NetFlow source device

You must configure your NetFlow source device, in this case a FortiGate, to send flow data to FortiMonitor.

  1. Log in to the NetFlow source device. For more information on how to configure NetFlow in FortiGate, see https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/31620/config-system-netflow.

  2. Configure NetFlow in FortiGate.
    # config system netflow
    set active-flow-timeout 60
    set collector-ip <netflow-collector-ip>
    set collector-port 2055
    end

    Where<netflow-collector-ip> is the IP address of your NetFlow collector appliance.

  3. Enable NetFlow on each interface that you want to monitor traffic for. For example, wan1:
    # config system interface
    edit wan1
    set netflow-sampler both
    end

View the NetFlow dashboard

Log into FortiMonitor then go to Dashboards > NetFlow.


FortiMonitor NetFlow commands

This section describes the commands that can be used with the NetFlow collector appliance.

/usr/bin/fortimonitor-netflow <command>

Command

Description
register <customer_key> Register your device with FortiMonitor.
start Start the container.
restart Restart the container.
stop Stop the container.

upgrade

Upgrade to the latest version of FortiMonitor NetFlow.

status

Show the status of the FortiMonitor NetFlow container.

remove

Remove FortiMonitor NetFlow from your device

netflow-uninstall

  • Stops and removes the NetFlow container and image

  • Uninstall the FM agent

  • Remove Docker volumes

  • Remove the CLI bash script, logs and any other files added during the installation
Previous
Next