Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    26.1.0
    26.1.0

    NetFlow monitoring

    NetFlow monitoring

    This article describes the steps on how to enable NetFlow monitoring in FortiMonitor.

    Note: Your firewall rules must be updated to allow the following NetFlow ingest URLs depending on your region:

    • US region: nf.us01.fortimonitor.com:443

    • EU region: nf.eu01.fortimonitor.com:443

    Supported NetFlow versions

    • NetFlow v5

    • NetFlow v9

    • IPFIX (NetFlow v10)

    • sFlow

    Enable NetFlow monitoring

    1. To enable NetFlow monitoring, perform the following steps:

    2. From the navigation menu, click Add.

    3. Select NetFlow.

    Installation modes

    Standalone installer

    You can install the NetFlow collector using a VM that will be turned into the NetFlow collector appliance.

    Make sure that the VM you are using meets the following requirements before you start enabling NetFlow monitoring:

    • VM requirements

      • A Linux VM that will be turned into the NetFlow collector appliance

      • 1 core processor

      • 2 GB RAM

      • 20 GB disk

    • OS requirements

      • Recent Ubuntu, RedHat, or Debian distribution.

      • Podman must not be installed.

    • NetFlow device must be configured to send flow data

    Note: The installer checks to make sure that firewall rules are open, if not you will get a warning to open those to allow flow data in.

    To enable firewall access to UDP port 2055 to receive flow packets, run the following command:

    iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

    Configure the VM that you will use as the NetFlow collector appliance.

    1. SSH into your Linux VM.

    2. Root privileges are need for the next steps. Run the following command:
      $ sudo su –

    3. Enable firewall access to UDP port 2055 to receive flow packets by running:
      iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

    4. Download the installer by running the following command:
      curl -fsSL https://repo.fortimonitor.com/install/netflow/install-fortimonitor-netflow.sh > install-fortimonitor-netflow.sh

    5. (Optional) Run the installer inEstimator mode. This installs the NetFlow estimator and will not register the appliance to FortiMonitor.

    6. Run the installer as root. You can choose any name for the NetFlow appliance:
      bash install-fortimonitor-netflow.sh -customer_key <customer_key> -appliance_name "NetFlow Appliance"

    7. Configure the NetFlow source device.

    Virtual appliance

    Make sure that the following requirements are met before enabling NetFlow monitoring:

    Perform the following steps to download and install the NetFlow collector image:

    1. Download the NetFlow vCollector image for your hypervisor.

    2. After downloading the NetFlow collector image, import it as a virtual machine into your hypervisor. Once your NetFlow vCollector is imported and booted, the VM will go through the normal Linux startup process, finishing with a login prompt.

    3. Log in with username fortimonitor and password fortimonitor.

    4. You will then be prompted to set a new password. Important: Do not lose this password. Without it, there is no way to access the NetFlow vCollector for further updates.

    5. Register the NetFlow vCollector by running the following command as root:

      fortimonitor-netflow register <customer_key> "NetFlow Appliance"

    6. This will connect your NetFlow vCollector to the FortiMonitor cloud and begin syncing data.

    7. Start it by running the following as root:

      fortimonitor-netflow start

    8. To run the estimator, run the following command as root:
      fortimonitor-netflow estimator <cidr-filters-file>

    9. Configure the NetFlow source device.

    Configure the NetFlow source device

    You must configure your NetFlow source device, in this case a FortiGate, to send flow data to FortiMonitor.

    1. Log in to the NetFlow source device. For more information on how to configure NetFlow in FortiGate, see https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/31620/config-system-netflow.

    2. Configure NetFlow in FortiGate.
      # config system netflow
      set active-flow-timeout 60
      set collector-ip <netflow-collector-ip>
      set collector-port 2055
      end

      Where<netflow-collector-ip> is the IP address of your NetFlow collector appliance.

    3. Enable NetFlow on each interface that you want to monitor traffic for. For example, wan1:
      # config system interface
      edit wan1
      set netflow-sampler both
      end

    View the NetFlow dashboard

    Log into FortiMonitor then go to Dashboards > NetFlow.


    FortiMonitor NetFlow commands

    This section describes the commands that can be used with the NetFlow collector appliance.

    /usr/bin/fortimonitor-netflow <command>

    Command

    Description
    register <customer_key> Register your device with FortiMonitor.
    start Start the container.
    restart Restart the container.
    stop Stop the container.

    upgrade

    Upgrade to the latest version of FortiMonitor NetFlow.

    status

    Show the status of the FortiMonitor NetFlow container.

    remove

    Remove FortiMonitor NetFlow from your device

    netflow-uninstall

    • Stops and removes the NetFlow container and image

    • Uninstall the FM agent

    • Remove Docker volumes

    • Remove the CLI bash script, logs and any other files added during the installation
    Previous
    Next

    NetFlow monitoring

    NetFlow monitoring

    This article describes the steps on how to enable NetFlow monitoring in FortiMonitor.

    Note: Your firewall rules must be updated to allow the following NetFlow ingest URLs depending on your region:

    • US region: nf.us01.fortimonitor.com:443

    • EU region: nf.eu01.fortimonitor.com:443

    Supported NetFlow versions

    • NetFlow v5

    • NetFlow v9

    • IPFIX (NetFlow v10)

    • sFlow

    Enable NetFlow monitoring

    1. To enable NetFlow monitoring, perform the following steps:

    2. From the navigation menu, click Add.

    3. Select NetFlow.

    Installation modes

    Standalone installer

    You can install the NetFlow collector using a VM that will be turned into the NetFlow collector appliance.

    Make sure that the VM you are using meets the following requirements before you start enabling NetFlow monitoring:

    • VM requirements

      • A Linux VM that will be turned into the NetFlow collector appliance

      • 1 core processor

      • 2 GB RAM

      • 20 GB disk

    • OS requirements

      • Recent Ubuntu, RedHat, or Debian distribution.

      • Podman must not be installed.

    • NetFlow device must be configured to send flow data

    Note: The installer checks to make sure that firewall rules are open, if not you will get a warning to open those to allow flow data in.

    To enable firewall access to UDP port 2055 to receive flow packets, run the following command:

    iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

    Configure the VM that you will use as the NetFlow collector appliance.

    1. SSH into your Linux VM.

    2. Root privileges are need for the next steps. Run the following command:
      $ sudo su –

    3. Enable firewall access to UDP port 2055 to receive flow packets by running:
      iptables -A INPUT -p udp -m udp --dport 2055 -j ACCEPT

    4. Download the installer by running the following command:
      curl -fsSL https://repo.fortimonitor.com/install/netflow/install-fortimonitor-netflow.sh > install-fortimonitor-netflow.sh

    5. (Optional) Run the installer inEstimator mode. This installs the NetFlow estimator and will not register the appliance to FortiMonitor.

    6. Run the installer as root. You can choose any name for the NetFlow appliance:
      bash install-fortimonitor-netflow.sh -customer_key <customer_key> -appliance_name "NetFlow Appliance"

    7. Configure the NetFlow source device.

    Virtual appliance

    Make sure that the following requirements are met before enabling NetFlow monitoring:

    Perform the following steps to download and install the NetFlow collector image:

    1. Download the NetFlow vCollector image for your hypervisor.

    2. After downloading the NetFlow collector image, import it as a virtual machine into your hypervisor. Once your NetFlow vCollector is imported and booted, the VM will go through the normal Linux startup process, finishing with a login prompt.

    3. Log in with username fortimonitor and password fortimonitor.

    4. You will then be prompted to set a new password. Important: Do not lose this password. Without it, there is no way to access the NetFlow vCollector for further updates.

    5. Register the NetFlow vCollector by running the following command as root:

      fortimonitor-netflow register <customer_key> "NetFlow Appliance"

    6. This will connect your NetFlow vCollector to the FortiMonitor cloud and begin syncing data.

    7. Start it by running the following as root:

      fortimonitor-netflow start

    8. To run the estimator, run the following command as root:
      fortimonitor-netflow estimator <cidr-filters-file>

    9. Configure the NetFlow source device.

    Configure the NetFlow source device

    You must configure your NetFlow source device, in this case a FortiGate, to send flow data to FortiMonitor.

    1. Log in to the NetFlow source device. For more information on how to configure NetFlow in FortiGate, see https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/31620/config-system-netflow.

    2. Configure NetFlow in FortiGate.
      # config system netflow
      set active-flow-timeout 60
      set collector-ip <netflow-collector-ip>
      set collector-port 2055
      end

      Where<netflow-collector-ip> is the IP address of your NetFlow collector appliance.

    3. Enable NetFlow on each interface that you want to monitor traffic for. For example, wan1:
      # config system interface
      edit wan1
      set netflow-sampler both
      end

    View the NetFlow dashboard

    Log into FortiMonitor then go to Dashboards > NetFlow.


    FortiMonitor NetFlow commands

    This section describes the commands that can be used with the NetFlow collector appliance.

    /usr/bin/fortimonitor-netflow <command>

    Command

    Description
    register <customer_key> Register your device with FortiMonitor.
    start Start the container.
    restart Restart the container.
    stop Stop the container.

    upgrade

    Upgrade to the latest version of FortiMonitor NetFlow.

    status

    Show the status of the FortiMonitor NetFlow container.

    remove

    Remove FortiMonitor NetFlow from your device

    netflow-uninstall

    • Stops and removes the NetFlow container and image

    • Uninstall the FM agent

    • Remove Docker volumes

    • Remove the CLI bash script, logs and any other files added during the installation
    Previous
    Next