Home

A Comprehensive Guide to Configuring NetFlow on FortiGate Firewalls

.

In the realm of network security and traffic analysis, visibility is paramount. Fortinet FortiGate firewalls offer robust NetFlow and IPFIX (Internet Protocol Flow Information Export) capabilities, allowing network administrators to export detailed traffic flow data to external collectors for monitoring, analytics, and security forensics. This guide synthesizes official documentation and community expertise to provide a clear path to configuration.

What is NetFlow & Why Configure It on Your FortiGate?

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow. On FortiGate devices, enabling NetFlow or its standardized successor, IPFIX, allows you to export metadata about network traffic—source/destination IPs, ports, protocols, byte counts, and interface information—to an external NetFlow Collector (like Plixer Scrutinizer, Auvik, or custom tools).

The primary benefits include:

  • Enhanced Network Visibility: Identify top talkers, applications, and traffic patterns.
  • Capacity Planning: Make informed decisions based on historical bandwidth usage.
  • Security Forensics: Analyze traffic flows during security incidents.
  • Troubleshooting: Diagnose network performance issues rapidly.

Prerequisites & Important Considerations

Before you begin, ensure you have:

  1. A FortiGate firewall running a supported FortiOS version (procedure varies slightly).
  2. The IP address and port of your external NetFlow Collector server.
  3. Administrative access to the FortiGate (CLI access is required for some steps).
  4. Key Decision: Choose between NetFlow v5, v9, or IPFIX. v9 and IPFIX are more flexible and support modern network features.

Step-by-Step Configuration Guide

Method 1: Configuration via FortiGate CLI (Most Reliable)

The Command Line Interface offers the most direct and consistent method across FortiOS versions. Based on the official Fortinet documentation and community tips, follow these steps:

  1. Log into the FortiGate via SSH or console.
  2. Enter the CLI and move to the global configuration context: 
    config global

  3. Configure the NetFlow/IPFIX Collector:

    config system netflow     set collector-ip <IP_ADDRESS_OF_COLLECTOR>     set collector-port <PORT_USUALLY_2055_or_4739>     set source-ip <SOURCE_IP_FOR_FORTIGATE> # Optional, specifies source IP of packets.     set active-flow-timeout 30 # Minutes (standard)     set inactive-flow-timeout 15 # Seconds (standard) end

    Replace placeholders with your collector's details.

  4. Apply NetFlow Sampling to Interfaces (Per Interface): You must specify which interfaces to monitor. Sampling rate 1 means sample every packet (no sampling).

    config system interface     edit <INTERFACE_NAME> # e.g., "port1", "wan1"         set netflow-sampler both # Options: tx, rx, both         set sample-rate 1     next end
  5. Enable NetFlow on VDOM (if used): If using Virtual Domains, you must enable it per VDOM and configure interfaces within that VDOM context. 
    config vdom edit <VDOM_NAME>     config system netflow         set collector-ip <COLLECTOR_IP>         set collector-port <PORT>     end     config system interface         edit <INTERFACE_IN_VDOM>             set netflow-sampler both             set sample-rate 1         next     end next end

Method 2: Configuration via FortiGate GUI (FortiOS 6.4+)

The graphical interface provides a more accessible method, though options may vary by version.

  1. Navigate to System > Settings.
  2. In the Administration Settings section, locate NetFlow.
  3. Click Enable and enter the Collector IP and Collector Port.
  4. Apply NetFlow to interfaces:
    • Go to Network > Interfaces.
    • Edit the desired interface (e.g., WAN1).
    • Under NetFlow Sample, select Both, Tx, or Rx and set the Sample Rate (1 for all packets).
  5. Click OK and Apply the changes.

Verifying & Troubleshooting Your Configuration

  • Verify Settings in CLI: Run diagnose netflow collector status and get system netflow.
  • Check Flow Export: Use diagnose netflow flow export status to see if flows are being generated.
  • Firewall Policies: Crucially, NetFlow data is exported via the data plane. Ensure a firewall policy exists that allows traffic from the FortiGate's interface IP to the Collector IP on the specified UDP port. This is a common point of failure.
  • Collector Not Receiving Data?
    • Confirm the collector service is running and listening on the correct UDP port.
    • Verify the route between the FortiGate and the collector.
    • Check for intermediate devices (firewalls, ACLs) blocking the UDP traffic.
    • Ensure interface configuration is correct.

Advanced Configuration & Best Practices

  • IPFIX (NetFlow v9) Template Refresh: IPFIX sends template packets. Adjust the interval if needed: 
    config system netflow     set template-tx-timeout 30 # Minutes between template resends end
  • Multiple Collectors: Some versions support configuring secondary collectors for redundancy.
  • Security: Use a dedicated management interface or loopback IP as the source-ip. Restrict access to the NetFlow port on your collector.

Frequently Asked Questions (FAQ)

What's the difference between NetFlow v5, v9, and IPFIX on FortiGate?

v5 is fixed-format, IPv4 only. v9 and IPFIX are template-based, extensible, and support IPv6, MPLS, and other modern data. IPFIX is the IETF standard. FortiGate typically uses v9/IPFIX.

Does enabling NetFlow impact FortiGate performance?

There is a minor CPU/memory overhead for flow processing and export. Using a sample rate higher than 1 (e.g., 1000) can reduce this impact on high-traffic interfaces.

Can I send NetFlow data to multiple collectors?

Yes, but configuration may require CLI. You can set a primary (collector-ip) and secondary (collector-ip2) collector in the netflow settings.

Why is my collector not receiving any data?

The top causes are: 1) No firewall policy allowing the export traffic, 2) Incorrect collector IP/port, 3) NetFlow not applied to the correct interfaces, or 4) Network connectivity issues.

Is NetFlow configuration per-VDOM or global?

It can be both. In multi-VDOM mode, you configure the collector within each VDOM and apply sampling to interfaces inside that VDOM.

Which UDP port should I use?

There is no official standard. 2055, 4739, 9995, and 9996 are commonly used. Ensure your collector is configured to listen on the same port.

Where can I find official documentation for my specific FortiOS version?

Always refer to the Fortinet Documentation Library and select your exact FortiOS version for the most accurate instructions.