FortiGate - Netflow Configuration

Problem

Internally, a SIEM solution or similar is operated and therefore all traffic coming in and out of the Internet should be sent to the logging solution.

Solution

About Netflow

NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis. NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the information maintained in the firewall session.

Configuration

The configuration differs whether VDOMs are active on the FortiGate unit or not.

Without VDOM

Netflow can only be configured via the CLI and consists of two parts.
First, the receiver of the data must be configured globally:
config system netflow
  set collector-ip 192.168.80.3
  set collector-port 2055
  set source-ip 192.168.80.254
end
  • collector-ip: IP address of the recipient (of the SIEM solution)
  • collector-port: Receiver UDP port (optional ; default udp/2055)
  • source-ip: IP of the interface from which the traffic should be sent (optional)

The second step is to activate Netflow on the desired interfaces:
config system interface
  edit wan
    set netflow-sampler { disable | tx | rx | both }
  next
end
  • disable: Netflow is disabled on this device
  • tx: Send outgoing traffic to Netflow receiver
  • rx: Send incoming traffic to Netflow receiver
  • both: send all traffic to Netflow receiver

With VDOM

When VDOMs are enabled, the configuration differs slightly.
Also Netflow has to be configured on VDOM level first:
config vdom
  set vdom Internet
    config system vdom-netflow
      set collector-ip 192.168.80.3
      set collector-port 2055
      set source-ip 192.168.80.254
    end
  next
end
HINT: If you want, you can define Netflow in the global space to define it for all VDOMs (see section "Without VDOM").

The second step is to activate Netflow on the desired interfaces:
config system interface
  edit wan
    set netflow-sampler { disable | tx | rx | both }
  next
end
  • disable: Netflow is disabled on this device
  • tx: Send outgoing traffic to Netflow receiver
  • rx: Send incoming traffic to Netflow receiver
  • both: send all traffic to Netflow receiver

Verify

Check with the diagnose sniffer tool the traffic from the FortiGate to the Netflow receiver:
diagnose sniffer paket any 'port 2055' 4 0 a

Troubleshooting

You can check the logs from the Netflow Daemon with the following command:
diagnose debug enable
diagnose test application sflowd 3
diagnose test application sflowd 4

Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiMail - Server Basic Configuration

Image
 Problem Nowhere is it written exactly how FortiMail must be configured in Server Mode to run a secure Basic Mail Server. Here is a summary of most of the settings: Solution System Network Configure your Interfaces Be sure that you have configured an default Gateway Port Forwarding FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information:  FortiMail Doc FortiGate The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information:  FortiDoc Configuration Set the correct Time Zone Configure your Password Policy Change the Admin Ports  to non default ports If you need configure the SNMP settings Mail Settings Set the Hostname  and the Local domain name . Togther there are the FQDN of the FortiMail. Activate the SMTP MA service  (use other ports for mail submiting by clients as mail transfer to other Mail servers.  Relay Host If you run the FortiMail behind another Mailserver which acts a
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more