Skip to main content
jsauer
jsauer
New Member
April 18, 2025
Question

config system netflow issues

  • April 18, 2025
  • 1 reply
  • 1593 views

HI All,

I'm running into an interesting issue. We have a script in FortiManager that sets the source-ip of connections to their various services, Netflow, FSSO, LDAP, etc. However, after updating our firewalls to 7.2.11, I'm finding that the following no longer works:

 

config system netflow

     set source-ip $(lan1_ip)

end

 

Neither does

 

config system netflow

     config collectors

            edit 1

                 set source-ip $(lan1_ip)

            end

     end

 

Did this command change between 7.2.10 and 7.2.11 and isn't documented, or did I miss it somewhere? I've opened a ticket with TAC, but figured I'd ask here as well to see if there's a faster response.

1 reply

hrahuman_FTNT
Staff & Editor
hrahuman_FTNT
Staff & Editor
April 18, 2025
Hi,
 
Netflow config syntax is as follows.
 
config system netflow
    set active-flow-timeout Timeout to report active flows (60 - 3600 sec, default = 1800).
    set inactive-flow-timeout Timeout for periodic report of finished flows (10 - 600 sec, default = 15).
    set template-tx-timeout Timeout for periodic template flowset transmission (60 - 86400 sec, default = 1800).
    set template-tx-counter Counter of flowset records before resending a template flowset record.
            config collectors
            edit <table value>
                set collector-ip <Collector IP>
                set collector-port <NetFlow collector port number>
                set source-ip <Source IP address for communication with the NetFlow agent> -----------------------> Specify the source ip Here.
                set interface-select-method <Specify how to select outgoing interface to reach server>
        end
end
 
-Habeeb
    jsauer
    jsauerAuthor
    New Member
    April 18, 2025

    All of the other settings are there, I'm just updating the source-ip for any service that uses it (FSSO, LDAP, NTP, etc.). All of the other services take the set source-ip just fine (I can delete the config system netflow block), it's just netflow that is having an issue.

     

    Our command blocks are broken down into need. So there's a script to set the collectors for netflow, set the servers for LDAP, FSSO, etc., but when pushing my CLI script that updates the source-ip for all of those services, only the netflow block is having an issue. This is where I'm confused.

     

    My entire script has netflow, LDAP, FSSO, NTP, DNS, and others in it. I can remove the netflow section, and the script works perfectly fine. Hence the reason for my question. Did something change with the ability to update the source-ip for netflow?

    jsauer
    jsauerAuthor
    New Member
    April 18, 2025

    example of what should be in the config:

    config system netflow
    config collectors
    edit 1
    set collector-ip <---- my collector address
    set collector-port <----- my collector port
    set source-ip $(lan1_ip)
    next
    end
    end

     

    I changed lan1_ip to a new value for the site.

     

    I shouldn't have to re-do the entire block, should I? Typically, in the past, I just had to update the source ip using the script posted above and have done so as recently as 7.2.10. With 7.2.11, do I need to re-create the entire section? I just want to change the one line, which is set source-ip to the new value I entered as a meta field variable.

    Terms & ConditionsAccessibility statement