Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Configuring flow tracking and export

You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.

When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking configuration is updated automatically based on the specified sampling mode.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

To configure flow tracking on managed FortiSwitch units:

config switch-controller flow-tracking

set sample-mode {local | perimeter | device-ingress}

set sample-rate <0-99999>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set collector-ip <collector IP address>

set collector-port <0-65535; default is 0>

set transport {udp | tcp | sctp}

set level {vlan | ip | port | proto}

set filter <string>

set max-export-pkt-size <512-9216 bytes; default is 512>.

set timeout-general <60-604800 seconds; default is 3600>

set timeout-icmp <60-604800 seconds; default is 300>.

set timeout-max <60-604800 seconds; default is 604800>

set timeout-tcp <60-604800 seconds; default is 3600>

set timeout-tcp-fin <60-604800 seconds; default is 300>

set timeout-tcp-rst <60-604800 seconds; default is 120>

set timeout-udp <60-604800 seconds; default is 300>

end

Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.

  • The local mode samples packets on a specific FortiSwitch port.
  • The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports. For perimeter mode, you can also configure the sampling rate.
  • The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking. For device-ingress mode, you can also configure the sampling rate.

Configure the sampling rate

For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of packets. The default sampling rate is 1 out of 512 packets.

Configure the flow-tracking protocol

You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

Configure collector IP address

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

Configure the transport protocol

You can set exported packets to use UDP, TCP, or SCTP for transport.

Configure the flow-tracking level

You can set the flow-tracking level to one of the following:

  • vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, protocol, Type of Service, and VLAN from the sample packet.
  • ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
  • port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample packet.

Configure the filter

Use the Berkeley Packet Filter to specify what packets to sample.

Configure the maximum exported packet size

You can set the maximum size of exported packets in the application level.

To remove flow reports from a managed FortiSwitch unit:

execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all} <FortiSwitch_serial_number>

Expired flows are exported.

To view flow statistics for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>

To view raw flow records for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>

To view flow record data for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>

For example:

diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6

Configuring flow tracking and export

You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.

When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking configuration is updated automatically based on the specified sampling mode.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

To configure flow tracking on managed FortiSwitch units:

config switch-controller flow-tracking

set sample-mode {local | perimeter | device-ingress}

set sample-rate <0-99999>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set collector-ip <collector IP address>

set collector-port <0-65535; default is 0>

set transport {udp | tcp | sctp}

set level {vlan | ip | port | proto}

set filter <string>

set max-export-pkt-size <512-9216 bytes; default is 512>.

set timeout-general <60-604800 seconds; default is 3600>

set timeout-icmp <60-604800 seconds; default is 300>.

set timeout-max <60-604800 seconds; default is 604800>

set timeout-tcp <60-604800 seconds; default is 3600>

set timeout-tcp-fin <60-604800 seconds; default is 300>

set timeout-tcp-rst <60-604800 seconds; default is 120>

set timeout-udp <60-604800 seconds; default is 300>

end

Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.

  • The local mode samples packets on a specific FortiSwitch port.
  • The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports. For perimeter mode, you can also configure the sampling rate.
  • The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking. For device-ingress mode, you can also configure the sampling rate.

Configure the sampling rate

For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of packets. The default sampling rate is 1 out of 512 packets.

Configure the flow-tracking protocol

You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

Configure collector IP address

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

Configure the transport protocol

You can set exported packets to use UDP, TCP, or SCTP for transport.

Configure the flow-tracking level

You can set the flow-tracking level to one of the following:

  • vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, protocol, Type of Service, and VLAN from the sample packet.
  • ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
  • port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample packet.

Configure the filter

Use the Berkeley Packet Filter to specify what packets to sample.

Configure the maximum exported packet size

You can set the maximum size of exported packets in the application level.

To remove flow reports from a managed FortiSwitch unit:

execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all} <FortiSwitch_serial_number>

Expired flows are exported.

To view flow statistics for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>

To view raw flow records for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>

To view flow record data for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>

For example:

diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6