FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article explains how to configure a FortiGate for NetFlow.

NetFlow is a feature that provides the ability to collect IP network traffic as it enters or exits an interface.
By analyzing the data provided by NetFlow, a network administrator can determine items such as the source and destination of traffic, class of service, and the causes of congestion.

NetFlow records are traditionally exported using User Datagram Protocol (UDP) and collected using a NetFlow collector.
The IP address of the NetFlow collector and the destination UDP port must be configured on the sending device (in this case, it is the FortiGate).

The standard value is UDP port 2055, but other values like 9555, 9025, or 9026 can also be used.

In a multi-VDOM environment it will not be possible to configure Netflow on the route VDOM as this configuration will be inherited from the global VDOM.



Configuring the Netflow collector IP:

# config system netflow
    set collector-ip <ipv4_addr>
    set collector-port <port_int>
Enabling Netflow on the Interface:

# config system interface
    edit <interface name>
    set netflow-sampler both

The following options are available for the Netflow sampler:

tx:      Monitor transmitted traffic on this interface.
rx:      Monitor received traffic on this interface.
both:    Monitor transmitted/received traffic on this interface.

If the connection is from Client to Server, either it is download or upload, it is still in the same direction and is in one session.


1) If the client downloads or uploads still it is in one session. (src ip , dst ip are the same).

Server -------------P2_FGT_P1------------ Client1
                             |----------- Client2

So, in the above scenario, even if netflow-sampler is chosen as 'both', traffic would not be seen as different with respect to ingress and egress.

2) If there are two clients from two ends connecting to the opposite side then it should show both directions as shown below:

Server1 ------------|P2_FGT_P1 |--------------- Client1
Client2 ------------|__________|--------------- Server2

Verification of Configuration and troubleshooting:

If data is not seen on the Netflow collector after configuring the Netflow as shown above, then the following sniffer commands should help verify if there is communication between the FortiGate and the Netflow collector:

#diagnose sniffer packet any 'port 9995'  6 0 a
(where the collector port is 9995)

Or use a sniffer on the Netflow collector IP:
#diagnose sniffer packet any 'host x.x.x.x' 6 0 a
(where x.x.x.x is the IP address of the Netflow collector.)

Using Netflow with VDOMs:

For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

# config vdom
    edit root                              <----- root is an example, change to the required VDOM name.
# config sys vdom-netflow
    set collector-ip <ipv4_addr>
    set collector-port <port_int>
    set source-ip x.x.x.x

    edit wan1                               <----- change the interface to the one to be used.
        set netflow-sampler both
Viewing the Configuration:

Netflow does not have a separate daemon and is instead running under sflowd. The current Netflow configuration can be viewed by using test level 3 or 4:

#diagnose test application sflowd 3
#diagnose test application sflowd 4
FortiGate allows to setup Netflow in multi-VDOM environment interfaces but it will not allow to configure it in the management VDOM as the command is simply not there.

This happens because the management VDOM feeds the Netflow configuration from the Global configuration so if it is necessary to setup Netflow for a management VDOM, it i necessary to do it in the Global VDOM.

In a multi-VDOM environment and for any normal VDOM, it will be possible to setup Netflow with the command '# config system vdom-netflow'.
But for the management VDOM that does not work:

So it is necessary to configure it on the Global VDOM with the command '# config system netflow':


Related Articles

Technical Tip: How to configure sample-rate for Netflow

Troubleshooting Tip: Sflow and netflow issues