This article explains how to configure NetFlow export on a Fortinet FortiGate firewall for use with Auvik TrafficInsights.
Before You Begin
Ensure the following prerequisites are met:
- The FortiGate date, time, and time zone are configured correctly.
- You have SSH or Telnet access to the FortiGate.
- You have administrative privileges on the device.
- You know the IP address of the Auvik collector that will receive flow data.
- Any firewalls between the FortiGate and the collector allow traffic on the selected flow-export port.
Important: FortiGate does not support NetFlow sampling. If flow sampling is required, configure sFlow instead.
Shared Collector Deployments
If you are using a shared collector and want TrafficInsights to associate flow data with the correct site, you must add the source IP address as a dedicated /32 network within Auvik.
For example:
192.168.1.10/32Even if the source IP address is already included in a larger monitored subnet, a dedicated /32 entry is required for TrafficInsights to correctly associate flow records with the appropriate site.
After making this change, it may take several minutes before flow data appears in TrafficInsights.
Configure NetFlow Export
Step 1: Access the FortiGate CLI
Connect to the firewall using SSH or Telnet and log in using an administrative account.
Step 2: Configure the NetFlow Collector
Run the following commands:
Replace:
-
<AuvikCollectorIP>with the IP address of the Auvik collector. -
<AuvikPort>with one of the supported TrafficInsights ports:- 2055
- 2056
- 4432
- 4739
- 6343
- 9995
- 9996
-
<FW LAN/Mgmt IP>with the source IP address that should send NetFlow records.
Note: Specifying the source IP is strongly recommended and may be required when flow traffic traverses VPN tunnels, multiple routing paths, or NAT devices.
config system netflow
set collector-ip <AuvikCollectorIP>
set collector-port <AuvikPort>
set source-ip <FW LAN/Mgmt IP>
endStep 3: Enable NetFlow on an Interface
In the example below, port1 represents the interface where traffic should be monitored.
Modify the interface name as required for your environment.
config system interface
edit port1
set netflow-sampler both
next
endThe both option exports ingress and egress traffic statistics for the interface.
Multiple Collector Support (FortiOS 7.4.2 and Later)
FortiOS 7.4.2 introduced support for multiple NetFlow collectors.
To configure multiple collectors:
config system netflow
config collectors
edit 1
set collector-ip <AuvikCollectorIP>
set collector-port <AuvikPort>
set source-ip <LAN/Mgmt IP>
set interface-select-method auto
next
end
endRepeat the collector configuration for each collector as required.
After configuring collectors, enable NetFlow on the desired interfaces:
config system interface
edit port1
set netflow-sampler both
next
endTo verify the current NetFlow configuration:
show system netflowVerify Flow Export
After configuration:
- Confirm the NetFlow collector IP address is reachable from the FortiGate.
- Verify the configured source IP address is routable to the collector.
- Confirm the correct export port is configured.
- Allow several minutes for flow records to begin appearing in TrafficInsights.
TrafficInsights data does not appear immediately and may require multiple export intervals before traffic becomes visible.
Troubleshooting
If flow data is not appearing in Auvik:
Verify Time Synchronization
Incorrect timestamps can affect flow processing and analysis.
Verify:
get system statusConfirm the date, time, and time zone are correct.
Verify NetFlow Configuration
Review the configured collector settings:
show system netflowConfirm:
- Collector IP address is correct.
- Collector port is correct.
- Source IP address is correct.
Verify Interface Configuration
Confirm NetFlow is enabled on the expected interfaces:
show system interfaceVerify Connectivity
Ensure:
- The collector is online.
- Firewalls permit flow export traffic.
- Routing exists between the FortiGate and the collector.
- VPN tunnels carrying flow traffic are operational.
Shared Collector Verification
If using a shared collector, confirm the flow-export source IP address has been added to Auvik as a dedicated /32 network.
Without the /32, TrafficInsights may be unable to associate the flow records with the correct site.
Additional Information
FortiGate exports flow data using NetFlow v9. Auvik TrafficInsights can process NetFlow, IPFIX, J-Flow, and sFlow records.
If flow sampling is required for your deployment, configure sFlow instead of NetFlow, as FortiGate does not support NetFlow sampling.
References:
- http://help.fortinet.com/fweb/555/Content/FortiWeb/fortiweb-admin/configure_dns_settings.htm
- http://help.fortinet.com/fweb/536/Content/FortiWeb/fortiweb-admin/time.htm
- https://kb.fortinet.com/kb/documentLink.do?externalID=FD36460
- https://kb.fortinet.com/kb/documentLink.do?externalID=FD43715
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-sample-rate-for-Netflow/ta-p/190516?externalID=FD43715