LIVE MONITORING: What IPs using up most bandwidth right now?

I'd rather to use other solution like fortianalyzer and fireplotter.

Also I suppose you to upgrade 5.2.1. In FortiView menu you have better reports.

Take a look at this blog I pulled together. This is what I do sometimes when managing devices that have no true collections methods.

http://socpuppet.blogspot.com/2014/09/howto-find-out-how-many-bps-policy-is.html

If you have unix and plotting skills, you can poll the unit and build statistics. It's also a good means when t-shooting a specific event at that time.

Forticloud would be another option with trending.

am using firewall analyzer .. fortianalyzer is a good option to..

Hi Derek,

You cant do proper monitoring using the FortiGate counters (Fortigate/FortiCloud/FortiAnalyser/SNMP)

All traffic that is offloaded to the hardware acceleration isn't counted anymore so you wont see correct numbers.

You need at least a NP6 network processor to get the offloaded traffic counted correctly. (only in high end FortiGate models)

This is also explained in the fortigate-hardware-accel documentation.

I'm really disapointed about this because reporting and monitoring was one of our mandatory requirements when bought our FortiGate cluster. Our FortiNet partner didn't told me it wouldn't work without buying expensive high end models. So we are stuck with useless traffic reporting.. :(

The only workaround is completely disabling the traffic offloading but that puts all the stress on the normal processor so it has a huge performance penalty.

You can also check the folowing blog for a nice explaination:

http://blog.helge.net/2014/05/fortigate-snmp-interface-counters-is.html

Maybe you can get yourselve a switch that supports Netflow and use that information to do the alerting.

You need at least a NP6 network processor to get the offloaded traffic counted correctly. (only in high end FortiGate models) This is also explained in the fortigate-hardware-accel documentation.  

Correct in some case but you have one more method. Netflow. yes netflow is a support  function in 5.2.

But you have one more friend.

( it's like 6-8 lines  of cfg )

config system netflow     set collector-ip 10.10.80.11     set collector-port 5400     set source-ip 10.10.80.1     set active-flow-timeout 10     set inactive-flow-timeout 5 end

provides on interfaces that are Layer3 assigned. Don't think it will  work with transparent mode vdom. And then you have sflow as an alternative.

Hi Emnoc,

But i wonder if the netflow packets include the offloaded traffic statistics or also only the first packet of a flow and traffic that can not be offloaded.

Any experience on this?

We believe this is just as reliable and we have numerous fortigates with no NP6 asic. You can validate by install a flow collector and generate a multiple  of flows at a set rate ( iperf/jperf /D-ITG comes in handy ) and then monitor the flow cache and information.

How much statistics are lost when offload is not 100% rock solid. Also we find only  vpn encrypted traffic seems to exhibit flutter and fluctuations when do our own benchtesting.

You can try sflow and but be aware of the polling interval which is always a requirement for sflow. I believe a few opensource  or demo collectors that support sflow collections exists. The sflow exportation has been out as earlier as v4.0, and netflow  since v5.2. Netflow is probably more redefine due to the number of cisco device out in planet earth,  so more collectors are netflow aware & internet community in whole is more netflow knowledgeable.

Hello emnoc, MBR, norouzi, and Fahad.

Thanks very much for your expert feedback - all great info, some of it I must admit over my head since I'm not a networking expert (I'm an IT manager, so more of a generalist). I do have hopes that I will be able to hire a network engineer to help me soon.

What has worked good enough for the small office I'm based in:

1. In the Top Sessions widget, I set to report by Source Address

2. In the widget I right-click on source IP with top bandwidth usage and choose "Show Top Destinations" or "Show Top Applications"

The above has helped to reveal to me who in my office was utilizing a ton of bandwidth (based on their IP address) and what sites they were connecting to (local video streaming sites reporting on the Hong Kong protests).

I hope to be able to get more advanced reporting, logging and analysis by getting a FortiAnalyzer, managed by a network engineer.

Thanks again, all.

Cheers,

Derek

Hi,

You could use Forticloud or Fortianalyser for enhanced logging, you can request a trial of Fortianalyzer if you wanted to test it first

Mark

Hi Mark/Derek,

The main issue is that offloaded traffic isn't counted. So it doesn't matter which tool you use to create reports and graphs. The base information is incomplete so you will never get 100% correct results.