Moving netflow date/times...

Forum|Forum|5 years ago
November 4, 2020
1 reply
3952 views

About 9 days ago we started receiving netflow data from a customer's FortiGate firewall. At that time, the date/times in the flows were about 12 days in the past. I have confirmed the "bad" times exist in the incoming raw packets. Over the next 8 days, the date/times were catching up to the current time, and then they started moving into the future, where currently they're about 2 days into the future and getting worse. My question is, has anyone seen behavior like this before?

emnoc

New Member

No, but can you grab a pcap and inspect the netflow fields?

Also what version of fortios? I would also gather the local time is correct (get system status ) . Believe the timestamps are unixo rlocalk time but I have decode netflow in a while. You also should grab the sysuptime field also. That should match the system local ticks

Ken Felix

kadeyAuthor

New Member

Version is 6.2.4. I did inspect a pcap, that's how I identified the problem. I took the current seconds, subtracted the sysuptime, then added the duration seconds.

emnoc

New Member

IRRC their two fields in netflow sysuptime and the actual time you should not need to do any calculations.

Look at the packet dump png in this post for v8, but v5 & v9 are similar

https://socpuppet.blogspot.com/2013/05/netflow-on-juniper-srx.html

Did you check the firewall clock time?

"get system status"

You have to make sure ntp is working correctly for netflow to be beneficial. If the time is off, you will have a host of issues from my past experience. I'm running 6.2.4 btw and exporting netflow from a FGT500E with no problems. We are upgrading to 6.2.5 this weekend.

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded