Hello,
I've been enabling sFlow/Netflow on all our Cisco Firewalls and Routers, and all the data is successfully showing up. I've now been asked to enable it on a Fortigate Firewall which I have no experience with (Fortigate 60D v5.0,build0208 GA Patch 3).
I've added the following but nothing is coming through on the Netflow server:
config system sflow set collector-ip 192.168.18.159 set collector-port 9996 end config system interface edit internal set sflow-sampler enable set sample-rate 512 set sample-direction both set polling-interval 30
edit WAN set sflow-sampler enable set sample-rate 512 set sample-direction both set polling-interval 30
edit DMZ set sflow-sampler enable set sample-rate 512 set sample-direction both set polling-interval 30
Maybe the flows are being sent via the wrong interface and can't get to the sFlow/Netflow server? The sFLow/Netflow server is at a remote site via a router that sits on the same VLAN as the 'internal' interface.
FIREWALL # diagnose sniffer packet 'host 192.168.18.159' 6 0 a interfaces=[host 192.168.18.159] filters=[6] pcap_open_live: ioctl: No such device for host 192.168.18.159
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Your on the right track but did you enable it if your in a vdom
e.g
config system vdom-sflow set vdom-sflow enable
set collector-ip 192.168.18.159 set collector-port 9996 set source-ip 0.0.0.0 <-----change this to set the src_ip
end
Also are you 100% sure the FGT60D support sflow and for that fortiosVersion ?
Ken
PCNSE
NSE
StrongSwan
FWIW , RTFM for release notes bugs,fixes,notes.......
"171529 sFlow does not work correctly with NPU interfaces." http://docs.fortinet.com/uploaded/files/1032/FortiOS-v5.0-Patch-Release-3-Release-Notes.pdf That fortiOS version is quite older, and you should really upgrade imho. ken
PCNSE
NSE
StrongSwan
Hi all,
Seems only the interface named 'internal' is showing up I guess as I set:
set source-ip 10.20.30.1
10.20.30.1 is the IP of the internal interface which can get to the Netflow server, not sure why the other interfaces can't get there.
I don't think we use vdom.
What is the recommended version to go to?
Thanks
just noticed only inbound traffic is showing too.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.