FortiSIEM Blog
Did you know that FortiSIEM can ingest NetFlow traffic? Send NetFlow traffic to FortiSIEM and it will be ingested, parsed, written to our common database, and made available for analysis, dashboards, correlation and reports!

NetFlow is processed by our Rapid Scale Architecture. A FortiSIEM collector node will process flow traffic alongside regular log traffic - no need for complex architecture or special node types. The parsed flow data is written into our common event database, alongside log and performance events.


Our combined NOC & SOC architecture makes NetFlow data available directly in our analytics engine alongside log and performance data. This common interface simplifies NetFlow analysis, there is no need to learn different interfaces to analyze flow, performance and log traffic. Of course this also means the NetFlow reports use the same structure as other FortiSIEM reports, providing a common reporting interface too.


Our widget based dashboards have a range of visualizations that are ideal for visualizing NetFlow traffic: geo map, line chart, Sankey, chord, choropleth, and others provide a variety of flexible and powerful ways to visualize NetFlow data.: 


NetFlow traffic is parsed by FortiSIEMs parsing and correlation engine - so you can build correlation rules on flow traffic in a similar way to regular logs. Baseline rules are an advanced feature particularly suited to flow traffic; baseline rules don't use a static threshold, instead they track a moving baseline and alert if there is a significant deviation from it.

Key Takeaways

  • FortiSIEM's Rapid Scale Architecture ingests NetFlow traffic alongside regular log traffic
  • NetFlow traffic is parsed and written to a common database alongside log traffic
  • FortiSIEM's combined NOC & SOC analytics means you use the same analytics, reporting, rules and dashboard interface for NetFlow traffic as you use for performance and regular log traffic!