Hi, guys,
FortiOS v7.0.3 are applied for Fortigate 60E, 400E; we found the Fortigate netflow traffic can not be read by the Grafana tool v8.1.5-1, that uses " logstash-8.3.1-1 collect", "Promtail version: 2.3.0", "Loki version: 2.3.0'
The netflow configuration in FotiWiFi60E:
config system netflow
set collector-ip 10.10.1.86
set source-ip 10.10.1.1
set active-flow-timeout 300
end
config system interface
edit "lan"
set vdom "root"
set ip 10.10.1.1 255.255.255.0
set allowaccess ping https ssh
set type switch
set netflow-sampler both
set sflow-sampler enable
set description "mod3"
set device-identification enable
set role lan
set snmp-index 10
next
end
Configuration verification
========================
18FwF60Mgt1# diag test application sflowd 3
===== Netflow Vdom Configuration =====
Global collector:10.10.1.86:[2055] source ip: 10.10.1.1 active-timeout(seconds):300 inactive-timeout(seconds):15
____ vdom: root, index=0, is master, collector: disabled (use global config) (mgmt vdom)
|_ coll_ip:10.10.1.86[2055],src_ip:10.10.1.1,seq_num:33,pkts/time to next template: 7/1555
|_ exported: Bytes:81510, Packets:784, Sessions:87 Flows:87
|____ interface:lan sample_direction:TX device_index:23 snmp_index:10
18FwF60Mgt1# diag test application sflowd 4
Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max count:67857
18FwF60Mgt1#
=====================================
From Grafana, we got the following templates from Fortigate:
Template ID 258
===================
{"src_geoip":{"geo":{"country_name":"United States","country_iso_code":"US"}},
"@timestamp":"2022-08-01T06:08:22Z",
"type":"netflow",
"dst_geoip":{"geo":{"country_name":"Hong Kong","city_name":"Kwai Chung","region_name":"Tsuen Wan District","country_iso_code":"HK"}},
"netflow":{"in_pkts":12,"application_id":"20..12356..0","forwarding_status":{"reason":0,"status":1},"protocol":6,"l4_src_port":443,"first_switched":"2022-08-01T06:07:08.550Z","ipv4_src_addr":"73.243.13.61","input_snmp":3,"postIpDiffServCodePoint":255,"flow_seq_num":331491,"in_bytes":7244,"out_bytes":7244,"last_switched":"2022-08-01T06:08:10.290Z","flow_end_reason":3,"flowset_id":258,"ipv4_dst_addr":"204.16.120.94","output_snmp":0,"l4_dst_port":3543,"version":9,"out_pkts":12},
"host":{"ip":"10.10.1.1"},"@version":"1"}
===================
Template ID 260
===================
{"src_geoip":{"geo":{"country_name":"United States","city_name":"San Mateo","region_name":"California","country_iso_code":"US"}},
"@timestamp":"2022-08-01T06:31:23Z",
"type":"netflow",
"dst_geoip":{"geo":{"country_name":"Hong Kong","city_name":"Kwai Chung","region_name":"Tsuen Wan District","country_iso_code":"HK"}},
"netflow":{"in_pkts":10,"application_id":"20..12356..0","forwarding_status":{"reason":3,"status":3},"protocol":1,"first_switched":"2022-08-01T06:30:01.080Z","ipv4_src_addr":"147.246.116.7","input_snmp":3,"flow_seq_num":331776,"in_bytes":840,"out_bytes":840,"last_switched":"2022-08-01T06:30:10.080Z","icmp_type":8,"flow_end_reason":0,"flowset_id":260,"ipv4_dst_addr":"204.16.120.94","output_snmp":0,"version":9,"out_pkts":10},
"host":{"ip":"10.10.1.1"},"@version":"1"}
===================
Template ID 262
===================
{"src_geoip":{},
"@timestamp":"2022-08-01T06:08:22Z",
"type":"netflow","dst_geoip":{},
"tags":["_geoip_lookup_failure"],
"netflow":{"in_pkts":5,"forwarding_status":{"reason":0,"status":1},"l4_src_port":49753,"xlate_dst_addr_ipv4":"0.0.0.0","first_switched":"2022-08-01T06:07:45.520Z","flow_seq_num":331491,"in_bytes":260,"out_bytes":260,"last_switched":"2022-08-01T06:08:00.490Z","xlate_dst_port":0,"xlate_src_addr_ipv4":"10.10.1.1","output_snmp":10,"l4_dst_port":10051,"version":9,"out_pkts":5,"application_id":"20..12356..0","protocol":6,"ipv4_src_addr":"10.255.253.200","input_snmp":7,"postIpDiffServCodePoint":255,"flow_end_reason":1,"flowset_id":262,"ipv4_dst_addr":"10.10.1.107","xlate_src_port":49753},
"host":{"ip":"10.10.1.1"},"@version":"1"}
===================
Our questions:
1. are the Fortigate netflow templates correct received by Grafana ?
2. "in_bytes" = "out_bytes" ?
Thanks so much for your great help.
BensonLEI
Solved! Go to Solution.
Hi, guys,
Thanks so much for you all kind inputs.
There is a dedicated Fortinet module for logstash, which can read Fortinet netflow format.
Cheers
BensonLEI
Created on 08-03-2022 12:46 PM
Created on 08-08-2022 08:20 AM Edited on 08-08-2022 08:21 AM
Hello @BensonLEI ,
We thank you for your patience on this post. After looking into the issue it seems like it would need a lab replication to narrow down what could be the reason. We would recommend you to create a support ticket with the technical support team under the support portal for further investigation.
Hope this helps.
Thanks and regards,
Hi, guys,
Thanks so much for you all kind inputs.
There is a dedicated Fortinet module for logstash, which can read Fortinet netflow format.
Cheers
BensonLEI
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.