Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kadey
New Contributor II

Moving netflow date/times...

About 9 days ago we started receiving netflow data from a customer's FortiGate firewall. At that time, the date/times in the flows were about 12 days in the past. I have confirmed the "bad" times exist in the incoming raw packets. Over the next 8 days, the date/times were catching up to the current time, and then they started moving into the future, where currently they're about 2 days into the future and getting worse.   My question is, has anyone seen behavior like this before?
4 REPLIES 4
emnoc
Esteemed Contributor III

No, but can you grab a pcap and inspect the netflow fields? 

 

Also what version of fortios?  I would also gather the local time is correct (get system status ) . Believe the timestamps are unixo rlocalk time but I have decode netflow in a while. You also should grab the sysuptime field also. That should match the system local ticks

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kadey
New Contributor II

Version is 6.2.4. I did inspect a pcap, that's how I identified the problem. I took the current seconds, subtracted the sysuptime, then added the duration seconds.

 

emnoc
Esteemed Contributor III

IRRC their two fields in netflow sysuptime and the actual time you should not need to do any calculations.

 

Look at the packet dump png in this post for  v8,  but v5 & v9 are similar 

https://socpuppet.blogspot.com/2013/05/netflow-on-juniper-srx.html

 

 

Did you check the firewall clock time?

 

   "get system status"

 

 

You have to make sure ntp is working correctly for netflow to be beneficial. If the time is off, you will have a host of issues from my past experience.  I'm running 6.2.4 btw and exporting netflow from a FGT500E with no problems. We are upgrading to 6.2.5 this weekend.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kadey
New Contributor II

The firewall's system time has been confirmed to be correct.

 

The time difference in the netflows have gone from being 12 days behind to 3 days ahead over the course of a week and a half.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors