No, but can you grab a pcap and inspect the netflow fields?
Also what version of fortios? I would also gather the local time is correct (get system status ) . Believe the timestamps are unixo rlocalk time but I have decode netflow in a while. You also should grab the sysuptime field also. That should match the system local ticks
Ken Felix
PCNSE
NSE
StrongSwan
Version is 6.2.4. I did inspect a pcap, that's how I identified the problem. I took the current seconds, subtracted the sysuptime, then added the duration seconds.
IRRC their two fields in netflow sysuptime and the actual time you should not need to do any calculations.
Look at the packet dump png in this post for v8, but v5 & v9 are similar
https://socpuppet.blogspot.com/2013/05/netflow-on-juniper-srx.html
Did you check the firewall clock time?
"get system status"
You have to make sure ntp is working correctly for netflow to be beneficial. If the time is off, you will have a host of issues from my past experience. I'm running 6.2.4 btw and exporting netflow from a FGT500E with no problems. We are upgrading to 6.2.5 this weekend.
Ken Felix
PCNSE
NSE
StrongSwan
The firewall's system time has been confirmed to be correct.
The time difference in the netflows have gone from being 12 days behind to 3 days ahead over the course of a week and a half.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.