Configuring flow tracking and export

You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.

When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking configuration is updated automatically based on the specified sampling mode.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

Starting in FortiOS 7.2.0, you can configure multiple flow-export collectors using the config collectors command. For each collector, you can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting packets.

Using multiple flow-export collectors requires FortiSwitchOS 7.0.0 or later. If you are using an earlier version of FortiSwitchOS, only the first flow-export collector is supported.

Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can specify how often a template packet is sent using the set template-export-period command. By default, a template packet is sent every 5 minutes. The range of values is 1-60 minutes.

Configuring flow tracking

To configure flow tracking on managed FortiSwitch units:

config switch-controller flow-tracking

set sample-mode {local | perimeter | device-ingress}

set sample-rate <0-99999>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set level {vlan | ip | port | proto}

set max-export-pkt-size <512-9216 bytes; default is 512>

set template-export-period <1-60 minutes, default is 5>

set timeout-general <60-604800 seconds; default is 3600>

set timeout-icmp <60-604800 seconds; default is 300>

set timeout-max <60-604800 seconds; default is 604800>

set timeout-tcp <60-604800 seconds; default is 3600>

set timeout-tcp-fin <60-604800 seconds; default is 300>

set timeout-tcp-rst <60-604800 seconds; default is 120>

set timeout-udp <60-604800 seconds; default is 300>

config collectors

edit <collector_name>

set ip <IPv4_address>

set port <0-65535>

set transport {udp | tcp | sctp}

end

config aggregates

edit <aggregate_ID>

set <IPv4_address>

end

end

For example:

config switch-controller flow-tracking

config collectors

edit "Analyzer_1"

set ip 172.16.201.55

set port 4739

set transport sctp

next

edit "Collector_HQ"

set ip 172.16.116.82

set port 2055

next

end

set template-export-period 10

end

Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.

• The local mode samples packets on a specific FortiSwitch port.
• The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports. For perimeter mode, you can also configure the sampling rate.
• The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking. For device-ingress mode, you can also configure the sampling rate.

Configure the sampling rate

For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of packets. The default sampling rate is 1 out of 512 packets.

Configure the flow-tracking protocol

You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

Configure collector IP address

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

Configure the transport protocol

You can set exported packets to use UDP, TCP, or SCTP for transport.

Configure the flow-tracking level

You can set the flow-tracking level to one of the following:

• vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, protocol, Type of Service, and VLAN from the sample packet.
• ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
• port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
• proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample packet.

Configure the maximum exported packet size

You can set the maximum size of exported packets in the application level.

To remove flow reports from a managed FortiSwitch unit:

execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all} <FortiSwitch_serial_number>

Expired flows are exported.

To view flow statistics for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>

To view raw flow records for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>

To view flow record data for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>

For example:

diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6

To check the status of the flow collector on a managed FortiSwitch unit:

diagnose switch-controller flow-collector status

For example:

FGT_A (vdom1) # diagnose switch-controller flow-collector status

status : enabled

interface : port11

netflow packets : 1300

unknown packets : 0

flows : 42

flows filtered : 201

flowsets skipped : 17129

Using the FortiView Internal Hubs monitor

Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.3, you can use the FortiView Internal Hubs monitor in FortiOS to monitor the connections between devices in private networks, as specified in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). The FortiView Internal Hubs monitor reports the IP addresses and the number of bytes collected from devices behind a FortiSwitch unit. If you drill down on one of the devices, you can see a chart displaying the devices and how they are connected.

To use the FortiView Internal Hubs monitor: The IP address for the flow collector (collector-ip) must be the same IP address as the FortiLink interface. The FortiGate model must have a hard drive, and you must enable historical FortiView and disk logging in the Log & Report > Log Settings page. FortiAnalyzer is not supported.

To enable the FortiView Internal Hubs monitor on a managed FortiSwitch unit:

config system interface

edit <FortiLink_interface>

set ip <IP_address_and_netmask>

set switch-controller-netflow-collect enable

next

end

config switch-controller flow-tracking

config collectors

edit <name>

set ip <FortiLink_interface_IPv4_address>

next

end

end

To add the FortiView Internal Hubs monitor:

1. Under Dashboard and click + to add a monitor.

2. In the Add Monitor pane, click the + by FortiView Internal Hubs.

3. From the FortiGate dropdown list, select which FortiGate device to monitor.

4. From the Time Period dropdown list, select how long to monitor (5 minutes, 1 hour, or 24 hours).

   

5. Click Add Monitor.

6. Under Dashboard, select FortiView Internal Hubs to display the FortiView Internal Hubs page.

   

7. Right-click on one of the devices and select Drill Down to Details.

   

8. You can select the Chart or Table tab to change how the details are displayed.