Netflow and IPFIX support

You can configure Netflow (v1, v5, and v9) and IP Flow Information Export (IPFIX) on managed FortiSwitch units on switch controller. The resulting data are available in FortiView and to FortiAnalyzer for traffic statistics and topology views. Traffic sampling data can be used to show which users and device behind a switch are generating the most traffic.

The following CLI can be used to configure flow-tracking parameters:

config system flow-tracking
    set sample-mode {local | perimeter | device-ingress}
    set sample-rate <integer>
    set format {netflow1 | netflow5 | netflow9 | ipfix}
    set collector-ip <ip_address>
    set collector-port <integer>
    set transport {udp | tcp | sctp}
    set level {vlan | ip | port | proto}
    set max-export-pkt-size <integer>
    set timeout-general <integer>
    set timeout-icmp <integer>
    set timeout-max <integer>
    set timeout-tcp <integer>
    set timeout-tcp-fin <integer>
    set timeout-tcp-rst <integer>
    set timeout-udp <integer>
    config aggregates
        edit <id>
            set ip <ip_address>
        next
    end
end

Variable	Description
sample-mode {local \| perimeter \| device-ingress}	Sample mode for flow tracking. `local`: Sample on the specific FortiSwitch port. Sampling must be enabled on the specific FortiSwitch ports using the `config switch-controller managed-switch` and `config ports` commands. `perimeter`: Sample on all non-fabric FortiSwitch ports, including the access and FortiLink ports, but not the FortiLink ISL port. `device-ingress`: Sample on all FortiSwitch ports.
sample-rate <integer>	Sample rate for the perimeter and device-ingress sampling (0 - 99999, default = 512).
format {netflow1 \| netflow5 \| netflow9 \| ipfix}	Flow tracking protocol (default = netflow9).
collector-ip <ip_address>	Collector IP address. An all-zero IP address implies the feature is disabled
collector-port <integer>	Collector port number (0 - 65535, default=0).
transport {udp \| tcp \| sctp}	L4 transport protocol for exporting packets (default = udp).
level {vlan \| ip \| port \| proto}	Flow tracking level. `vlan`: Collect srcip/dstip/srcport/dstport/protocol/tos/vlan from the sample packet. `ip`: Collect srcip/dstip from the sample packet (default). `port`: Collect srcip/dstip/srcport/dstport/protocol from the sample packet. `proto`: Collect srcip/dstip/protocol from the sample packet.
max-export-pkt-size <integer>	Flow maximum export packet size, in bytes (512 - 9216, default = 512).
timeout-general <integer>	Flow session general timeout, in seconds (60 - 604800, default = 3600).
timeout-icmp <integer>	Flow session ICMP timeout, in seconds (60 - 604800, default = 300).
timeout-max <integer>	Flow session maximum timeout, in seconds (60 - 604800, default = 604800).
timeout-tcp <integer>	Flow session TCP timeout, in seconds (60 - 604800, default = 3600).
timeout-tcp-fin <integer>	Flow session TCP FIN timeout, in seconds (60 - 604800, default = 300).
timeout-tcp-rst <integer>	Flow session TCP RST timeout, in seconds (60 - 604800, default = 120).
timeout-udp <integer>	Flow session UDP timeout, in seconds (60 - 604800, default = 300).
`config aggregates` subcommand: Aggregates in which all traffic sessions matching the IP address will be grouped into the same flow.
ip <ip_address>	IP address to group all matching traffic sessions to a flow.

More Links

NetFlow

Netflow and IPFIX support

The following CLI can be used to configure flow-tracking parameters:

config system flow-tracking
    set sample-mode {local | perimeter | device-ingress}
    set sample-rate <integer>
    set format {netflow1 | netflow5 | netflow9 | ipfix}
    set collector-ip <ip_address>
    set collector-port <integer>
    set transport {udp | tcp | sctp}
    set level {vlan | ip | port | proto}
    set max-export-pkt-size <integer>
    set timeout-general <integer>
    set timeout-icmp <integer>
    set timeout-max <integer>
    set timeout-tcp <integer>
    set timeout-tcp-fin <integer>
    set timeout-tcp-rst <integer>
    set timeout-udp <integer>
    config aggregates
        edit <id>
            set ip <ip_address>
        next
    end
end

Variable	Description
sample-mode {local \| perimeter \| device-ingress}	Sample mode for flow tracking. `local`: Sample on the specific FortiSwitch port. Sampling must be enabled on the specific FortiSwitch ports using the `config switch-controller managed-switch` and `config ports` commands. `perimeter`: Sample on all non-fabric FortiSwitch ports, including the access and FortiLink ports, but not the FortiLink ISL port. `device-ingress`: Sample on all FortiSwitch ports.
sample-rate <integer>	Sample rate for the perimeter and device-ingress sampling (0 - 99999, default = 512).
format {netflow1 \| netflow5 \| netflow9 \| ipfix}	Flow tracking protocol (default = netflow9).
collector-ip <ip_address>	Collector IP address. An all-zero IP address implies the feature is disabled
collector-port <integer>	Collector port number (0 - 65535, default=0).
transport {udp \| tcp \| sctp}	L4 transport protocol for exporting packets (default = udp).
level {vlan \| ip \| port \| proto}	Flow tracking level. `vlan`: Collect srcip/dstip/srcport/dstport/protocol/tos/vlan from the sample packet. `ip`: Collect srcip/dstip from the sample packet (default). `port`: Collect srcip/dstip/srcport/dstport/protocol from the sample packet. `proto`: Collect srcip/dstip/protocol from the sample packet.
max-export-pkt-size <integer>	Flow maximum export packet size, in bytes (512 - 9216, default = 512).
timeout-general <integer>	Flow session general timeout, in seconds (60 - 604800, default = 3600).
timeout-icmp <integer>	Flow session ICMP timeout, in seconds (60 - 604800, default = 300).
timeout-max <integer>	Flow session maximum timeout, in seconds (60 - 604800, default = 604800).
timeout-tcp <integer>	Flow session TCP timeout, in seconds (60 - 604800, default = 3600).
timeout-tcp-fin <integer>	Flow session TCP FIN timeout, in seconds (60 - 604800, default = 300).
timeout-tcp-rst <integer>	Flow session TCP RST timeout, in seconds (60 - 604800, default = 120).
timeout-udp <integer>	Flow session UDP timeout, in seconds (60 - 604800, default = 300).
`config aggregates` subcommand: Aggregates in which all traffic sessions matching the IP address will be grouped into the same flow.
ip <ip_address>	IP address to group all matching traffic sessions to a flow.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Cookbook

Netflow and IPFIX support

Netflow and IPFIX support

More Links

Netflow and IPFIX support

Netflow and IPFIX support