How can we help?

How to configure NetFlow on Fortinet FortiGate firewalls

Follow

This article explains how to configure NetFlow export on a Fortinet FortiGate firewall for use with Auvik TrafficInsights.

Before You Begin

Ensure the following prerequisites are met:

  • The FortiGate date, time, and time zone are configured correctly.
  • You have SSH or Telnet access to the FortiGate.
  • You have administrative privileges on the device.
  • You know the IP address of the Auvik collector that will receive flow data.
  • Any firewalls between the FortiGate and the collector allow traffic on the selected flow-export port.

Important: FortiGate does not support NetFlow sampling. If flow sampling is required, configure sFlow instead.

Shared Collector Deployments

If you are using a shared collector and want TrafficInsights to associate flow data with the correct site, you must add the source IP address as a dedicated /32 network within Auvik.

For example:

192.168.1.10/32

Even if the source IP address is already included in a larger monitored subnet, a dedicated /32 entry is required for TrafficInsights to correctly associate flow records with the appropriate site.

After making this change, it may take several minutes before flow data appears in TrafficInsights.


Configure NetFlow Export

Step 1: Access the FortiGate CLI

Connect to the firewall using SSH or Telnet and log in using an administrative account.

Step 2: Configure the NetFlow Collector

Run the following commands:

Replace:

  • <AuvikCollectorIP> with the IP address of the Auvik collector.
  • <AuvikPort> with one of the supported TrafficInsights ports:
    • 2055
    • 2056
    • 4432
    • 4739
    • 6343
    • 9995
    • 9996
  • <FW LAN/Mgmt IP> with the source IP address that should send NetFlow records.

Note: Specifying the source IP is strongly recommended and may be required when flow traffic traverses VPN tunnels, multiple routing paths, or NAT devices.

config system netflow
    set collector-ip <AuvikCollectorIP>
    set collector-port <AuvikPort>
    set source-ip <FW LAN/Mgmt IP>
end

Step 3: Enable NetFlow on an Interface

In the example below, port1 represents the interface where traffic should be monitored.

Modify the interface name as required for your environment.

config system interface
    edit port1
        set netflow-sampler both
    next
end

The both option exports ingress and egress traffic statistics for the interface.


Multiple Collector Support (FortiOS 7.4.2 and Later)

FortiOS 7.4.2 introduced support for multiple NetFlow collectors.

To configure multiple collectors:

config system netflow
    config collectors
        edit 1
            set collector-ip <AuvikCollectorIP>
            set collector-port <AuvikPort>
            set source-ip <LAN/Mgmt IP>
            set interface-select-method auto
        next
    end
end

Repeat the collector configuration for each collector as required.

After configuring collectors, enable NetFlow on the desired interfaces:

config system interface
    edit port1
        set netflow-sampler both
    next
end

To verify the current NetFlow configuration:

show system netflow

Verify Flow Export

After configuration:

  1. Confirm the NetFlow collector IP address is reachable from the FortiGate.
  2. Verify the configured source IP address is routable to the collector.
  3. Confirm the correct export port is configured.
  4. Allow several minutes for flow records to begin appearing in TrafficInsights.

TrafficInsights data does not appear immediately and may require multiple export intervals before traffic becomes visible.


Troubleshooting

If flow data is not appearing in Auvik:

Verify Time Synchronization

Incorrect timestamps can affect flow processing and analysis.

Verify:

get system status

Confirm the date, time, and time zone are correct.

Verify NetFlow Configuration

Review the configured collector settings:

show system netflow

Confirm:

  • Collector IP address is correct.
  • Collector port is correct.
  • Source IP address is correct.

Verify Interface Configuration

Confirm NetFlow is enabled on the expected interfaces:

show system interface

Verify Connectivity

Ensure:

  • The collector is online.
  • Firewalls permit flow export traffic.
  • Routing exists between the FortiGate and the collector.
  • VPN tunnels carrying flow traffic are operational.

Shared Collector Verification

If using a shared collector, confirm the flow-export source IP address has been added to Auvik as a dedicated /32 network.

Without the /32, TrafficInsights may be unable to associate the flow records with the correct site.


Additional Information

FortiGate exports flow data using NetFlow v9. Auvik TrafficInsights can process NetFlow, IPFIX, J-Flow, and sFlow records.

If flow sampling is required for your deployment, configure sFlow instead of NetFlow, as FortiGate does not support NetFlow sampling.

References:

 

Was this article helpful?
6 out of 26 found this helpful
Have more questions? Submit a request