vendor:forti
Table of Contents
Fortigate Trisul Netflow configuration
Trisul can produce deep reports from Fortigate firewalls Netflow feature.
- Traffic analysis
- AppID visibility
- QoS DHCP
- NAT
- etc
Configuring on Fortigate
Enable system wide
# config system netflow
set collector-ip <Trisul-IPv4-Address>
set collector-port <2055>
end
Enable Netflow on the LAN Interface (both tx and rx)
config system interface edit <interface name> set netflow-sampler both end
Or Enable Netflow rx on all interfaces
config system interface edit <interface name> set netflow-sampler rx end
If you enabled set netflow-sampler both on all interfaces this could result in double counting and show increased bandwidth numbers
Configuration on Trisul Network Analytics
Next, on Trisul perform the following configuration steps
Netflow configuration file https://www.trisul.org/docs/ref/netflow-config.html
source /usr/local/share/trisul-probe/trisbashrc edit.cfg (select option 3 to edit Netflow)
Then make the following changes
- Set
MeterAppIDto TRUE (to enable AppID) - Set
IgnoreOutCountsto TRUE - Set
MeterTosAsDSCPto TRUE
Creating metering policies
After Trisul has been running for a while, it is time to configure some extra metering policies. Do the following
- Create a Crosskey counter group called “FlowIntf_bx_QOS” parent as FlowIntf, crosskey1 as Flow-TOS
- Create a Crosskey counter group called “FlowIntf_bx_GeoAS” parent FlowIntf, crosskey1 as ASNumber
- From the Netflow Wizard enable all Trackers
- From the Netflow Wizard enable all Utilization alerts
Then restart the trisul probe.
This will be a good starting configuration for a Fortigate environment.
References
1. Fortigate Netflow https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Configure-Netflow/ta-p/196080
2. Trisul Network Analytics - Netflow configuration file https://www.trisul.org/docs/ref/netflow-config.html
vendor/forti.txt · Last modified: 2023/06/13 18:11 by veera