Skip to main content
Systeembeheerder
Systeembeheerder
New Member
January 19, 2021
Question

Bandwidth and applications Report does NOT contain all traffic.

  • January 19, 2021
  • 1 reply
  • 4379 views

Hi all

Hope someone can help me figure this out.

 

When I run the 'Bandwidth and applications Report' from the FortiAnalyzer v6.2.6 I see the Traffic Statistics with Total Bytes Transferred.

I would think this is all data (up+down) that went trough the FortiGate at the configured time.

 

However when I compare this to the data usage of the ISP, the value is always way to low to be correct on the FortiGate.

I already found out that a Firmware update from FortiManager to a FortiGate, that data transfer is not added to the data usage of the report...

 

So does anyone know how to make a report where I can see all data transfer for a custom period that will be exactly the same amount as the ISP shows in its report? That way we can drill down on what is consuming most data at remote offices.

(including FortiAnalyzer, FortiManager data transfers)

 

Thank you!!

    1 reply

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    January 19, 2021

    I don't think it is possible. After all, Fortianalyzer as well as Fortigate count bandwidth consumed based on the logs recorded, and there is no traffic logs for the local to Fortigate connections, i.e. when the Fortigate itself is the source or destination of these connections. Which includes all Fortiguard/updates/DNS queries/connection with Fortimanager|Fortianalyzer/etc. I guess it is quite a lot of traffic. My conclusion is based on logic, not practical verification, so I can be wrong though.

     

    Systeembeheerder
    SysteembeheerderAuthor
    New Member
    January 19, 2021

    Hi Yuri

     

    When I compare the data from the ISP to the report of the FortiAnalyzer there is a difference of 2 GB.

    Report : 300MB for 1 month, ISP : 2.3 GB for 1 month

    (all policies have full logging enabled)

     

    So that 2 GB would only be the traffic from or to the FG itself? Does look a lot compared to the other traffic.

     

    The remote site(spoke) has a 4G Simcard in a FortiExtender but we see 2.3GB on the simcard but don't know what is causing that data. If you know another way to achieve this please let me know.

     

    Regards

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    January 19, 2021

    Not sure, all of my clients have been on unmetered links so far and therefore I had no need to measure actual traffic.

    The only other option I can think of is collecting traffic stats via sFlow/Netflow which is interface based, not log based, and should be source/destination agnostic. I don't have any Fortigate with sflow right now at hand to verify regarding its Fortigate-generated traffic. 

    https://docs.fortinet.com/document/fortigate/6.0.0/handbook/505119/configuring-sflow 

     

    Terms & ConditionsAccessibility statement