FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196080


This article describes how to configure a FortiGate for NetFlow.
NetFlow is a feature that provides the ability to collect IP network traffic as it enters or exits an interface.
By analyzing the data provided by NetFlow, a network administrator can determine items such as the source and destination of traffic, class of service, and the causes of congestion.

NetFlow records are traditionally exported using User Datagram Protocol (UDP) and collected using a NetFlow collector.
The IP address of the NetFlow collector and the destination UDP port must be configured on the sending device (in this case, it is the FortiGate).

The standard value is UDP port 2055, but other values like 9555, 9025, or 9026 can also be used.

In a multi-VDOM environment, it will not be possible to configure Netflow on the root VDOM or any management VDOM as this configuration will be inherited from the global VDOM.







Configure the Netflow collector IP. This can be done in a non-VDOM environment or under the global VDOM to monitor any management VDOM traffic in a multi-VDOM environment:
config system netflow
    set collector-ip <ip>
    set collector-port <0-65535>
    set source-ip <ip>
    set active-flow-timeout <integer. Values 1-60. Default 30>
    set inactive-flow-timeout <integer. Values 10-600. Default 15>
    set template-tx-timeout <integer. Values 1-1440. Default 30>
    set template-tx-counter <integer. Values 10-6000. Default 20>
Refer here for the default values:
Additional Configuration:

In some environments where SD-WAN is incorporated and traffic for Netflow may be required to go over a tunnel interface not associated with the SD-WAN setup, setting the source IP and creating a static route in the routing table will not be enough to ensure the traffic flows over the specified interface. In this case, use the following configuration to ensure traffic goes over the specified interface.
config system netflow
          set interface-select-method specify <- Set to auto by default so it can use various methods of selection such as SD-WAN rules
          set interface <tunnel or required interface>
Enabling Netflow on the Interface:
config system interface
    edit <interface name>
    set netflow-sampler both

The following options are available for the Netflow sampler:
tx:      Monitor transmitted traffic on this interface.
rx:      Monitor received traffic on this interface.
both:    Monitor transmitted/received traffic on this interface.

If the connection is from Client to Server, either it is download or upload, it is still in the same direction and is in one session.

  1. If the client downloads or uploads, it is still one session. (Src ip and dst ip are the same.)
Server -------------P2_FGT_P1------------ Client1
                             |----------- Client2
In the above scenario, even if netflow-sampler is chosen as 'both', traffic would not be seen as different with respect to ingress and egress.
  1. If there are two clients from two ends connecting to the opposite side then it should show both directions as shown below:


Server1 ------------|P2_FGT_P1 |--------------- Client1
Client2 ------------|__________|--------------- Server2


Verification of Configuration and troubleshooting.

If data is not seen on the Netflow collector after configuring the Netflow as shown above, the following sniffer commands should help verify if there is communication between the FortiGate and the Netflow collector:

diagnose sniffer packet any 'port 9995'  6 0 a(where the collector port is 9995)

Alternatively, use a sniffer on the Netflow collector IP:
diagnose sniffer packet any 'host x.x.x.x' 6 0 a(where x.x.x.x is the IP address of the Netflow collector.)

Using Netflow with VDOMs.

For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:
config vdom
    edit root         <- Root is an example. Change it to the non-management VDOM name as required.
config sys vdom-netflow
    set vdom-netflow enable   <- This setting must be enabled before proceeding to the next setting.
    set collector-ip <ip>
    set collector-port <0-65535>
    set source-ip <ip>
config system interface
    edit wan1                 <- Change the interface to the one to be used.
        set netflow-sampler both
When 'ha-direct' is disabled under HA settings, Netflow always tries to send the traffic out on the mgmt interface. To send the NetFlow traffic via a routed interface in each VDOM, NetFlow IP must be disabled or put under global settings.
Viewing the Configuration.

Netflow does not have a separate daemon and is instead running under sflowd. The current Netflow configuration can be viewed by using test level 3 or 4:
diagnose test application sflowd 3
diagnose test application sflowd 4

FortiGate allows for the setup of Netflow in multi-VDOM environment interfaces, but it will not allow configuring it in the management VDOM as the command is simply not there.

This happens because the management VDOM feeds the Netflow configuration from the Global configuration. This means that, if it is necessary to setup Netflow for a management VDOM, it is necessary to do it in the Global VDOM.

In a multi-VDOM environment and for any non-management VDOM, it will be possible to setup Netflow with the command 'config system vdom-netflow'.
But for the management VDOM that does not work:
It is therefore necessary to configure it on the Global VDOM with the following command:
config system netflow


Related articles:

Technical Tip: How to configure sample-rate for Netflow.

Troubleshooting Tip: Sflow and netflow issues.

Technical Tip: Best practices for performance acceleration with reference to sFlow and NetFlow.