Try Auvik Free
Try Auvik Free

How can we help?

  1. Auvik Support
  2. Audit and Reporting
  3. Device configuration for Auvik TrafficInsights
  4. How to Configure Netflow

How to configure NetFlow on Fortinet FortiGate firewalls

Avatar
Lawrence Popa
Follow

These instructions assume:

  • The date, time and time zone are correctly set on the firewall.
  • You have Telnet or SSH credentials and access to your Fortinet FortiGate firewall.
  • The IP address of your Auvik collector is known.

Note: FortiGate does not support sampling with Netflow.   If you need to configure flow sampling, please set up sFlow instead.

If you have a shared collector and want to ensure that it receives netflow data to enable TrafficInsights, you will need to add the source IP address as a /32 in order for Auvik to register the flows from that specific address in the TrafficInsights portal. There may be some delay for the shared collector to receive the data after the change.

Note: Even if that source IP address is already being scanned, you must add a /32 targeting only the source IP address, due to some limitations, the collector can’t tell if it should be sent to site A or B.

Access your firewall CLI

  1. Telnet or SSH into your firewall.
  2. Ensure you're logged in as a privileged user.

Enable NetFlow

On your firewall, execute the commands listed below.

Replace <AuvikCollectorIP> with the IP of your Auvik collector, <AuvikPort> with one of the following ports: 2055, 2056, 4432, 4739, 6343, 9995, or 9996, and <FW LAN/Mgmt IP> with the IP address of the interface from where the device will be sending Netflow. This last this step is mandatory if the Netflow traffic has to traverse a VPN in order to reach the collector.

In the example below, port 1 represents the interface where you're capturing flows, usually the LAN. Change this value based on which interface you're monitoring with NetFlow.

config system netflow
set collector-ip <AuvikCollectoIP>
set collector-port <AuvikPort>
set source-ip <FW LAN/Mgmt IP>
end

config system interface
edit <port1>
set netflow-sampler both
end

Multiple Collectors

For newer software versions (7.4.2 and higher), Fortinet included the capability to work with multiple collectors. In this case use the following configuration:

show system netflow

config system netflow
  config collectors
     edit <1-6>
        set collector-ip <AuvikCollectorIP>
        set collector-port <2055, 2056, 4432, 4739, 6343, 9995, 9996>
        set source-ip <LAN/Management IP address>
        set interface-select-method auto
     next
   end
end
config system interface
   edit <port1>
     set netflow-sampler both
   next
end

References:

 

Was this article helpful?
6 out of 26 found this helpful
Have more questions? Submit a request

Auvik System Status

Check system status

Need help?

Submit your question or comment and we'll be in touch.

Send a message

Related articles