LIVE MONITORING: What IPs using up most bandwidth right now?
I have a FortiGate 100D running v5.0, build4429 (GA).
In the Traffic History widget I can see my Internet connection saturated, inbound and/or outbound.
Users are complaining that Internet is very slow.
Top Sessions by Destination or Source Address widget shows current usage?
Top Clients by Bandwidth widget also shows me some info.
Is there a better way to try to determine live, at any time, what internal IPs are using up the most bandwidth and what hosts they are connected to?
Will a FortiAnalyzer help?
Are there better solutions outside of obtaining info from the FortiGate such as port mirroring on a switch to a Linux VM with special network monitoring software on it?
Ideally, I'd want a solution that can also email me alerts if there is any particular internal host that is utilizing excessive bandwidth. I'd like to know if the traffic is legitimate business traffic or from malware or for personal use.
You cant do proper monitoring using the FortiGate counters (Fortigate/FortiCloud/FortiAnalyser/SNMP)
All traffic that is offloaded to the hardware acceleration isn't counted anymore so you wont see correct numbers.
You need at least a NP6 network processor to get the offloaded traffic counted correctly. (only in high end FortiGate models)
This is also explained in the fortigate-hardware-accel documentation.
I'm really disapointed about this because reporting and monitoring was one of our mandatory requirements when bought our FortiGate cluster. Our FortiNet partner didn't told me it wouldn't work without buying expensive high end models. So we are stuck with useless traffic reporting.. :(
The only workaround is completely disabling the traffic offloading but that puts all the stress on the normal processor so it has a huge performance penalty.
You can also check the folowing blog for a nice explaination:
We believe this is just as reliable and we have numerous fortigates with no NP6 asic. You can validate by install a flow collector and generate a multiple of flows at a set rate ( iperf/jperf /D-ITG comes in handy ) and then monitor the flow cache and information.
How much statistics are lost when offload is not 100% rock solid. Also we find only vpn encrypted traffic seems to exhibit flutter and fluctuations when do our own benchtesting.
You can try sflow and but be aware of the polling interval which is always a requirement for sflow. I believe a few opensource or demo collectors that support sflow collections exists. The sflow exportation has been out as earlier as v4.0, and netflow since v5.2. Netflow is probably more redefine due to the number of cisco device out in planet earth, so more collectors are netflow aware & internet community in whole is more netflow knowledgeable.
Thanks very much for your expert feedback - all great info, some of it I must admit over my head since I'm not a networking expert (I'm an IT manager, so more of a generalist). I do have hopes that I will be able to hire a network engineer to help me soon.
What has worked good enough for the small office I'm based in:
1. In the Top Sessions widget, I set to report by Source Address
2. In the widget I right-click on source IP with top bandwidth usage and choose "Show Top Destinations" or "Show Top Applications"
The above has helped to reveal to me who in my office was utilizing a ton of bandwidth (based on their IP address) and what sites they were connecting to (local video streaming sites reporting on the Hong Kong protests).
I hope to be able to get more advanced reporting, logging and analysis by getting a FortiAnalyzer, managed by a network engineer.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.