Fortinet black logo

Administration Guide

Flow export

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:774769
Download PDF

Flow export

NOTE:

  • To see which models support this feature, refer to the FortiSwitch feature matrix.
  • Starting in FortiSwitchOS 7.0.0, you can use the CLI to configure multiple flow-export collectors, control how often the template is exported, and specify a Berkeley packet filter (BPF).
  • Layer-2 flows for NetFlow version 1 and NetFlow version 5 are not supported.
  • For 2xxE models and higher, flow export uses psudorandom sampling (approximately 1 of x packets).

You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. Specifying the flow-tracking level controls which fields are exported:

Flow-tracking level Fields that are exported

IP

src.mac, dst.mac

MAC

src.ip, dst.ip, ip.ver

Port

src.ip, dst.ip, ip.ver, ip.proto

Protocol

src.ip, dst.ip, ip.ver, ip.proto, ip.src.port, ip.dst.port, tcp.flags

VLAN

src.ip, dst.ip, ip.ver, ip.proto, ip.src.port, ip.dst.port, tcp.flags, vlan

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

To use flow export:
  1. Enabling packet sampling
  2. Configuring flow export
  3. Viewing the flow-export data
  4. Deleting the flow-export data

Enabling packet sampling

To use flow export, you must first enable packet sampling for each switch port and trunk:

config switch interface

edit <interface>

set packet-sampler enabled

set packet-sample-rate <0-99999>

end

Configuring flow export

Using the GUI:
  1. Go to System > Flow Export > Configure.
  2. Configure the collectors.
    1. Click +.
    2. In the Name field, enter the name of the collector.
    3. Required. In the IP field, enter the IPv4 address for the collector. When the value is “0.0.0.0” or blank, the feature is disabled.
    4. In the Port field, enter the port number for the collector. The default port for NetFlow is 2055; the default port for IPFIX is 4739.
    5. In the Transport dropdown list, select SCTP, TCP, or UDP for the transport of exported packets.
  3. Configure the flow export options.
    1. In the Format drop-down list, select the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.
      NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports.
    2. In the Identity field, enter a unique number to identify which FortiSwitch unit the data originates from. If the identity is not specified, the “Burn in MAC” value is used instead (from the get system status command output).
    3. In the Level field, select the flow-tracking level from one of the following:
      —When you select IP, the FortiSwitch unit collects the source IP address and destination IP address from the sample packet.
      —When you select MAC, the FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
      —When you select Port, the FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
      —When you select Protocol, the FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
      —When you select VLAN, the FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet.
    4. In the Max Export Packet Size (Bytes) field, enter the maximum size of exported packets in the application level.
  4. Configure the timeouts.
    1. In the General field, enter the general timeout in seconds for the flow session.
    2. In the ICMP field, enter the ICMP timeout for the flow session.
    3. In the Max field, enter the maximum number of seconds before the flow session times out.
    4. In the TCP field, enter the TCP timeout for the flow session.
    5. In the TCP FIN field, enter the TCP FIN flag timeout for the flow session.
    6. In the TCP RST field, enter the TCP RST flag timeout for the flow session.
    7. In the UDP field, enter the UDP timeout for the flow session.
  5. Configure the aggregates.
    1. Select +.
    2. In the ID field, enter a number to identify the entry or use the default value.
    3. Required. In the IP/Netmask field, enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.
    4. To add another entry, select +.
  6. Select Update.
Using the CLI:

config system flow-export

set filter <BPF_filter>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set identity <hexadecimal>

set level {ip | mac | port | proto | vlan}

set max-export-pkt-size <512-9216 bytes>

set template-export-period <1-60 minutes>

set timeout-general <60-604800 seconds>

set timeout-icmp <60-604800 seconds>

set timeout-max <60-604800 seconds>

set timeout-tcp <60-604800 seconds>

set timeout-tcp-fin <60-604800 seconds>

set timeout-tcp-rst <60-604800 seconds>

set timeout-udp <60-604800 seconds>

config collectors

edit <collector_name>

set ip <IPv4_address>

set port <port_number>

set transport {sctp | tcp | udp}

end

config aggregates

edit <aggregate_ID>

set ip <IPv4_address_mask>

end

end

Viewing the flow-export data

Using the GUI:

Go to System > Flow Export > Monitor.

Using the CLI:

You can display the flow-export data or raw data for a specified number of records or for all records. You can also display statistics for flow-export data.

get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data statistics

NOTE: Layer-2 flows for netflow1 and netflow5 are not supported. For the output of the get system flow-export-data statistics command, the Incompatible Type field displays how many flows are not exported because they are not supported.

Deleting the flow-export data

Use the following commands to delete or expire all flow-export data:

diagnose sys flow-export delete-flows-all

diagnose sys flow-export expire-flows-all

Flow export

NOTE:

  • To see which models support this feature, refer to the FortiSwitch feature matrix.
  • Starting in FortiSwitchOS 7.0.0, you can use the CLI to configure multiple flow-export collectors, control how often the template is exported, and specify a Berkeley packet filter (BPF).
  • Layer-2 flows for NetFlow version 1 and NetFlow version 5 are not supported.
  • For 2xxE models and higher, flow export uses psudorandom sampling (approximately 1 of x packets).

You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. Specifying the flow-tracking level controls which fields are exported:

Flow-tracking level Fields that are exported

IP

src.mac, dst.mac

MAC

src.ip, dst.ip, ip.ver

Port

src.ip, dst.ip, ip.ver, ip.proto

Protocol

src.ip, dst.ip, ip.ver, ip.proto, ip.src.port, ip.dst.port, tcp.flags

VLAN

src.ip, dst.ip, ip.ver, ip.proto, ip.src.port, ip.dst.port, tcp.flags, vlan

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

To use flow export:
  1. Enabling packet sampling
  2. Configuring flow export
  3. Viewing the flow-export data
  4. Deleting the flow-export data

Enabling packet sampling

To use flow export, you must first enable packet sampling for each switch port and trunk:

config switch interface

edit <interface>

set packet-sampler enabled

set packet-sample-rate <0-99999>

end

Configuring flow export

Using the GUI:
  1. Go to System > Flow Export > Configure.
  2. Configure the collectors.
    1. Click +.
    2. In the Name field, enter the name of the collector.
    3. Required. In the IP field, enter the IPv4 address for the collector. When the value is “0.0.0.0” or blank, the feature is disabled.
    4. In the Port field, enter the port number for the collector. The default port for NetFlow is 2055; the default port for IPFIX is 4739.
    5. In the Transport dropdown list, select SCTP, TCP, or UDP for the transport of exported packets.
  3. Configure the flow export options.
    1. In the Format drop-down list, select the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.
      NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports.
    2. In the Identity field, enter a unique number to identify which FortiSwitch unit the data originates from. If the identity is not specified, the “Burn in MAC” value is used instead (from the get system status command output).
    3. In the Level field, select the flow-tracking level from one of the following:
      —When you select IP, the FortiSwitch unit collects the source IP address and destination IP address from the sample packet.
      —When you select MAC, the FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
      —When you select Port, the FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
      —When you select Protocol, the FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
      —When you select VLAN, the FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet.
    4. In the Max Export Packet Size (Bytes) field, enter the maximum size of exported packets in the application level.
  4. Configure the timeouts.
    1. In the General field, enter the general timeout in seconds for the flow session.
    2. In the ICMP field, enter the ICMP timeout for the flow session.
    3. In the Max field, enter the maximum number of seconds before the flow session times out.
    4. In the TCP field, enter the TCP timeout for the flow session.
    5. In the TCP FIN field, enter the TCP FIN flag timeout for the flow session.
    6. In the TCP RST field, enter the TCP RST flag timeout for the flow session.
    7. In the UDP field, enter the UDP timeout for the flow session.
  5. Configure the aggregates.
    1. Select +.
    2. In the ID field, enter a number to identify the entry or use the default value.
    3. Required. In the IP/Netmask field, enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.
    4. To add another entry, select +.
  6. Select Update.
Using the CLI:

config system flow-export

set filter <BPF_filter>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set identity <hexadecimal>

set level {ip | mac | port | proto | vlan}

set max-export-pkt-size <512-9216 bytes>

set template-export-period <1-60 minutes>

set timeout-general <60-604800 seconds>

set timeout-icmp <60-604800 seconds>

set timeout-max <60-604800 seconds>

set timeout-tcp <60-604800 seconds>

set timeout-tcp-fin <60-604800 seconds>

set timeout-tcp-rst <60-604800 seconds>

set timeout-udp <60-604800 seconds>

config collectors

edit <collector_name>

set ip <IPv4_address>

set port <port_number>

set transport {sctp | tcp | udp}

end

config aggregates

edit <aggregate_ID>

set ip <IPv4_address_mask>

end

end

Viewing the flow-export data

Using the GUI:

Go to System > Flow Export > Monitor.

Using the CLI:

You can display the flow-export data or raw data for a specified number of records or for all records. You can also display statistics for flow-export data.

get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data statistics

NOTE: Layer-2 flows for netflow1 and netflow5 are not supported. For the output of the get system flow-export-data statistics command, the Incompatible Type field displays how many flows are not exported because they are not supported.

Deleting the flow-export data

Use the following commands to delete or expire all flow-export data:

diagnose sys flow-export delete-flows-all

diagnose sys flow-export expire-flows-all