Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lpetit_FTNT
Staff
Staff

Created on ‎05-27-2010 08:25 AM Edited on ‎03-25-2022 09:58 AM By Anonymous

Technical Tip : Third party sflow analyzers display incorrect FortiGate interface statistics

Description

Third party sflow applications display interface statistics based on sflow information received.  The interface index reported by a FortiGate in sflow packets can however be different than the ifIndex value of the port numbers.
The application, assuming that the sflow source index reported should match the SNMP ifIndex value, will poll the FortiGate, if configured, for additional SNMP information such as ifDescription, ifSpeed, ifInOctets, ifOutOctets, and will then associate these flows with a different interface.

The mapping should therefore be configured on the sflow analyzer.

Sflow analyzers tested and reporting this are:
     - sFlowTrend
     - ManageEngine Netflow Analyzer
     - Plixer Scrutinizer


This behavior is changing starting FortiOS 4.0MR3, where the FortiGate sends the interface SNMP index.


An example of a FortiGate 310B configured to export sflow statistics for interface port1, port9 and port10 is given below.
config system sflow
 set collector-ip 10.167.1.152
end

config system interface
edit "port1"
 set sflow-sampler enable
next
edit "port9"
 set sflow-sampler enable
next
edit "port10"
 set sflow-sampler enable
next

sFlowTrend applications will report that sflow are received for interface index 2, 3 and 10, and will try to automatically associate these to physical interface port2, port3, and port10, using SNMP query.
lpetit_fd32458_sflow_trend1.jpg
The sflow index to physical interface mapping can be found using the following CLI command:
FGT310B # diagnose netlink interface list

if=port1 family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=8 state=start present flags=up broadcast run promsic multicast
 
For example, the full index table for the FortiGate 310B unit is given below:
Phy. intf   Sflow index
if=lo       index=1
if=port10   index=2
if=port9    index=3
if=modem    index=4
if=port6    index=5
if=port5    index=6
if=port8    index=7
if=port7    index=8
if=port2    index=9
if=port1    index=10
if=port4    index=11
if=port3    index=12
if=root     index=13
if=ssl.root index=14



Sample sniffer trace for sflow packet: 

lpetit_fd32458_pcap1.jpg

 

Labels:
11038
0 Kudos
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.