Manufacturer: Fortinet

Model(s): FortiSwitch FSR-124D, 4xxE, 200 series, 400 series, 500 series, 1024D, 1024E, 1048E, T1024E, 3032E

Version(s): FortiSwitchOS 7.2.3+

URL:  https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/774769/flow-export

Notes:

  • Starting in FortiSwitchOS 7.0.0, you can use the CLI to configure multiple flow-export collectors, control how often the template is exported, and specify a Berkeley packet filter (BPF).
  • Layer-2 flows for NetFlow version 1 and NetFlow version 5 are not supported.
  • For 2xxE models and higher, flow export uses pseudorandom sampling (approximately 1 of xpackets).
  • The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

Configuration steps

    1. To use flow export, you must first enable packet sampling for each switch port and trunk via the CLI.
    config switch interface
  edit <interface>
    set packet-sampler enabled
    set packet-sample-rate <0-99999>
  end
    1. Once the interfaces are enabled, using the UI Go to System > Flow Export > Configure
    2. Configure a collector.
    3. Click +
    4. In the Name field, enter the name of the collector, this will be the Scrutinizer collector.
    5. In the IPfield, enter the IPv4 address for the Scrutinizer collector.
    6. In the Port field, enter the destination port number for flow export packets. The default port for NetFlow is 2055; the default port for IPFIX is 4739. Scrutinizer will automatically detect the flow packets on any port number you choose to use.
    7. In the Transport dropdown list, select UDP for the transport of exported packets.
    8. Configure the flow export options.
    9. In the Format drop-down list, select the format of the exported flow data as NetFlow version 9, or IPFIX sampling.
    10. In the Level field, select the flow-tracking level from one of the following: IP, MAC, Port, Protocol, VLAN (See the table below for the fields that are exported)
    11. In the Max Export Packet Size (Bytes) field, enter the maximum size of exported packets in the application level.
    12. Configure timeout settings. Plixer recommends using 60 seconds as the timeout values.
      1. In the General field, enter the general timeout (seconds) for the flow session.
      2. In the ICMP field, enter the ICMP timeout (seconds) for the flow session.
      3. In the Max field, enter the number of seconds before the flow session times out.
      4. In the TCP field, enter the TCP timeout (seconds) for the flow session.
      5. In the TCP FIN field, enter the TCP FIN flag timeout (seconds) for the flow session.
      6. In the TCP RST field, enter the TCP RST flag timeout (seconds) for the flow session.
      7. In the UDP field, enter the UDP timeout (seconds) for the flow session.
    13. Configure the aggregates.
      1. Select +
      2. In the ID field, enter a number to identify the entry or use the default value.
      3. In the IP/Netmask field, enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.
      4. To add another entry, select +
    1. Select Update.

    Table:  Flow Tracking Levels

    Exported Field MAC IP Protocol Port VLAN
    Source MAC Address        
    Destination MAC Address        
    Source IP Address  
    Destination IP Address  
    First Switched Time
    Last Switched Time
    Bytes
    Packets
    Input Interface Index
    Output Interface Index
    IP Protocol Version    
    Protocol    
    TOS    
    Source Port      
    Destination Port      
    TCP Flags      
    ICMP Type        
    VLAN ID