Configuring flow tracking and export
You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.
When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking configuration is updated automatically based on the specified sampling mode.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.
You can configure multiple flow-export collectors using the config collectors
command. For each collector, you can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting packets.
Using multiple flow-export collectors requires FortiSwitchOS 7.0.0 or later. If you are using an earlier version of FortiSwitchOS, only the first flow-export collector is supported. |
You can specify how often a template packet is sent using the set template-export-period
command. By default, a template packet is sent every 5 minutes. The range of values is 1-60 minutes.
To configure flow tracking on managed FortiSwitch units:
config switch-controller flow-tracking
set sample-mode {local | perimeter | device-ingress}
set sample-rate <0-99999>
set format {netflow1 | netflow5 | netflow9 | ipfix}
set level {vlan | ip | port | proto}
set max-export-pkt-size <512-9216 bytes; default is 512>
set template-export-period <1-60 minutes, default is 5>
set timeout-general <60-604800 seconds; default is 3600>
set timeout-icmp <60-604800 seconds; default is 300>
set timeout-max <60-604800 seconds; default is 604800>
set timeout-tcp <60-604800 seconds; default is 3600>
set timeout-tcp-fin <60-604800 seconds; default is 300>
set timeout-tcp-rst <60-604800 seconds; default is 120>
set timeout-udp <60-604800 seconds; default is 300>
config collectors
edit <collector_name>
set ip <IPv4_address>
set port <0-65535>
set transport {udp | tcp | sctp}
end
config aggregates
edit <aggregate_ID>
set <IPv4_address>
end
end
For example:
config switch-controller flow-tracking
config collectors
edit "Analyzer_1"
set ip 172.16.201.55
set port 4739
set transport sctp
next
edit "Collector_HQ"
set ip 172.16.116.82
set port 2055
next
end
set template-export-period 10
end
Configure the sampling mode
You can set the sampling mode to local, perimeter, or device-ingress.
- The local mode samples packets on a specific FortiSwitch port.
- The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports. For perimeter mode, you can also configure the sampling rate.
- The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking. For device-ingress mode, you can also configure the sampling rate.
Configure the sampling rate
For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of packets. The default sampling rate is 1 out of 512 packets.
Configure the flow-tracking protocol
You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.
Configure collector IP address
The default is 0.0.0.0
. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.
Configure the transport protocol
You can set exported packets to use UDP, TCP, or SCTP for transport.
Configure the flow-tracking level
You can set the flow-tracking level to one of the following:
vlan
—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, protocol, Type of Service, and VLAN from the sample packet.ip
—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.port
—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and protocol from the sample packet.proto
—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample packet.
Configure the maximum exported packet size
You can set the maximum size of exported packets in the application level.
To remove flow reports from a managed FortiSwitch unit:
execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all} <FortiSwitch_serial_number>
Expired flows are exported.
To view flow statistics for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>
To view raw flow records for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>
To view flow record data for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>
For example:
diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6