Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Derek_Tom
New Contributor

LIVE MONITORING: What IPs using up most bandwidth right now?

Hi there,

I have a FortiGate 100D running v5.0, build4429 (GA).

In the Traffic History widget I can see my Internet connection saturated, inbound and/or outbound.

Users are complaining that Internet is very slow.

Top Sessions by Destination or Source Address widget shows current usage?

Top Clients by Bandwidth widget also shows me some info.

Is there a better way to try to determine live, at any time, what internal IPs are using up the most bandwidth and what hosts they are connected to?

Will a FortiAnalyzer help?

Are there better solutions outside of obtaining info from the FortiGate such as port mirroring on a switch to a Linux VM with special network monitoring software on it?

Ideally, I'd want a solution that can also email me alerts if there is any particular internal host that is utilizing excessive bandwidth. I'd like to know if the traffic is legitimate business traffic or from malware or for personal use.

Thanks in advance for any suggestions/feedback.

Cheers,

Derek

11 REPLIES 11
norouzi
Contributor

I'd rather to use other solution like fortianalyzer and fireplotter.

Also I suppose you to upgrade 5.2.1. In FortiView menu you have better reports.

emnoc
Esteemed Contributor III

Take a look at this blog I pulled together. This is what I do sometimes when managing devices that have no true collections methods.

 

http://socpuppet.blogspot.com/2014/09/howto-find-out-how-many-bps-policy-is.html

 

If you have unix and plotting skills, you can poll the unit and build statistics. It's also a good means when t-shooting a specific event at that time.

 

Forticloud would be another option with trending.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Fahad
New Contributor III

am using firewall analyzer .. fortianalyzer is a good option to..

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
MBR
New Contributor III

Hi Derek,

 

You cant do proper monitoring using the FortiGate counters (Fortigate/FortiCloud/FortiAnalyser/SNMP)

All traffic that is offloaded to the hardware acceleration isn't counted anymore so you wont see correct numbers.

 

You need at least a NP6 network processor to get the offloaded traffic counted correctly. (only in high end FortiGate models)

This is also explained in the fortigate-hardware-accel documentation.

 

I'm really disapointed about this because reporting and monitoring was one of our mandatory requirements when bought our FortiGate cluster. Our FortiNet partner didn't told me it wouldn't work without buying expensive high end models. So we are stuck with useless traffic reporting.. :(

 

The only workaround is completely disabling the traffic offloading but that puts all the stress on the normal processor so it has a huge performance penalty.

 

You can also check the folowing blog for a nice explaination:

http://blog.helge.net/2014/05/fortigate-snmp-interface-counters-is.html

 

Maybe you can get yourselve a switch that supports Netflow and use that information to do the alerting.

 

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
emnoc
Esteemed Contributor III

You need at least a NP6 network processor to get the offloaded traffic counted correctly. (only in high end FortiGate models) This is also explained in the fortigate-hardware-accel documentation.  

 

Correct in some case but you have one more method. Netflow. yes netflow is a support  function in 5.2.

But you have one more friend.

 

( it's like 6-8 lines  of cfg )

 

config system netflow     set collector-ip 10.10.80.11     set collector-port 5400     set source-ip 10.10.80.1     set active-flow-timeout 10     set inactive-flow-timeout 5 end

 

provides on interfaces that are Layer3 assigned. Don't think it will  work with transparent mode vdom. And then you have sflow as an alternative.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MBR
New Contributor III

Hi Emnoc,

 

But i wonder if the netflow packets include the offloaded traffic statistics or also only the first packet of a flow and traffic that can not be offloaded.

Any experience on this?

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
emnoc
Esteemed Contributor III

We believe this is just as reliable and we have numerous fortigates with no NP6 asic. You can validate by install a flow collector and generate a multiple  of flows at a set rate ( iperf/jperf /D-ITG comes in handy ) and then monitor the flow cache and information.

 

How much statistics are lost when offload is not 100% rock solid. Also we find only  vpn encrypted traffic seems to exhibit flutter and fluctuations when do our own benchtesting.

 

You can try sflow and but be aware of the polling interval which is always a requirement for sflow. I believe a few opensource  or demo collectors that support sflow collections exists. The sflow exportation has been out as earlier as v4.0, and netflow  since v5.2. Netflow is probably more redefine due to the number of cisco device out in planet earth,  so more collectors are netflow aware & internet community in whole is more netflow knowledgeable.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Derek_Tom
New Contributor

Hello emnoc, MBR, norouzi, and Fahad.

Thanks very much for your expert feedback - all great info, some of it I must admit over my head since I'm not a networking expert (I'm an IT manager, so more of a generalist). I do have hopes that I will be able to hire a network engineer to help me soon.

What has worked good enough for the small office I'm based in:

1. In the Top Sessions widget, I set to report by Source Address

2. In the widget I right-click on source IP with top bandwidth usage and choose "Show Top Destinations" or "Show Top Applications"

The above has helped to reveal to me who in my office was utilizing a ton of bandwidth (based on their IP address) and what sites they were connecting to (local video streaming sites reporting on the Hong Kong protests).

I hope to be able to get more advanced reporting, logging and analysis by getting a FortiAnalyzer, managed by a network engineer.

Thanks again, all.

Cheers,

Derek

 

Mark_Oakton
Contributor

Hi,

You could use Forticloud or Fortianalyser for enhanced logging, you can request a trial of Fortianalyzer if you wanted to test it first

Mark

Infosec Partners
Infosec Partners
Labels
Top Kudoed Authors