- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Mixed up Timestamps in Netflow
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mixed up Timestamps in Netflow
Hi everbody,
I've got a strange issue regarding the timestamp when displaying exported netflow data from several fortigates with nfdump.
The issues's as follows:
I setup netflow in my main FGT90D running 5.2.3 and exported these data into a nfdump/nfsen collector/analyzer. Here I got flows which seemed to be first seen in future. First there'd been flows with a timestamp from september 13. Today in the morning the timestamps matched my time but up to now they're some 24 hours ahead.
So I setup another FGT100D with 5.2.3 and it's timestamps are around 5 hours and ten minutes ahead.
So I setup a third fortigate, another 100D with 5.2.4 and finally it's timestamps seem to match my actual time.
I'm researching this issue for several days now - meanwhile implementing an Cisco 3620 Router - netflow enabled and two distributed Switches from my ESX-Farm sending it's data into the collector - just to be sure that it's no general issue. Countless times I set up ntp configurations and configured timezones just to be sure.
But whatever I tried up to now, these timing offsets only are to be seen from the fortigates, especially from the two boxes running 5.2.3. What's a little bit worse is that the timeshift seem to vary - as wrote above from my FGT90D so that you even can't just calculate with a fix time offset to get it right.
One strange thing I discovered - but I don't know if it's by design or not because I no netflow-packet sepcialist. I captured those netflow packets from all three boxes and discovered the FGT100D running 5.2.3 is sending packets with a negative sysuptime value. The other two have positive ones. Don't know if it's just a byte-overflow issue or something like that.
Has anyone playing aroung with netflow seen anything like that and could give me a hint where to look next?
If it's important, my collector/analyzer is running nfdum/nfsen on debian 8 - if it got something to do with it.
Labels:
- Labels:
-
5.2
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dumb Qs do you have ntp setup and the time validate? A lot of devices ( i.e Juniper ) requires NTP is enabled 1st & b4 you run netfow or ipfix .
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
we have the same issue with a fg 1500d running 5.2.2, timeshifts with 1 or 2 days in the future.
both systems, fg and server are managed by ntp. So time should be correctly.
Does anybody know about the reason
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how far are the time off? a day a few mins or hours?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
its not days, the time difference are days. approx 10 days.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am seeing a similar issue with 5.2.4.
-bash-4.1$ nfdump -V nfdump: Version: NSEL-NEL1.6.11 $Date: 2013-11-16 09:04:43 +0100 (Sat, 16 Nov 2013) $
When I do: execute time, I see the correct time date stamp and that it is NTP synched. When I grab a PCAP from my Fortinet to nfdump sever, and view it in wireshark (Click analyze, decode as, Transport select destination 9985 and port as CFLOW).
I see the correct time stamps in the packet, so I am not sure if this is a Fortinet problem, or nfdump problem.
Today at ~ 10:30: Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2015-10-21 00:44:19.184 ....
Has anyone opened a ticket with Fortinet yet or posted anything yet here? [link]http://sourceforge.net/projects/nfdump/[/link]
What version of nfdump are you running?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a bit of an old thread, but it does not seem to have a resolution for it. I am also experiencing this issue. I am running FortiOS 5.2.1, 5.2.3, 5.2.5, and 5.2.6. On version 5.2.6, it was working for a short time, but after returning to the office after a weekend, it was off again. I have yet to be able to get it working again.
I have a post on Nagios Network Analyzer forum as well, and they have no idea what could be causing it either. I have packet captured on both the Fortigate and the NA server and can see the netflow data coming into the server with the correct date and time. However, once ran through nfdump it outputs the incorrect datetimestamp. That would make me "assume" that it is an nfdump issue, but I am not sure.
I am posting this here, already have a post on Nagios NA forums, and will hitup the sourceforge.net forums as well. If I find anything out, I will be sure to update this post. Also, if anyone might have an update on this, please respond.
Labels
-
FortiGate
6,589 -
FortiClient
1,314 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.