====== Fortigate Trisul Netflow configuration ======
Trisul can produce deep reports from Fortigate firewalls Netflow feature.
* Traffic analysis
* AppID visibility
* QoS DHCP
* NAT
* etc
===== Configuring on Fortigate =====
=== Enable system wide ===
# config system netflow
set collector-ip
set collector-port <2055>
end
=== Enable Netflow on the LAN Interface (both tx and rx) ===
config system interface
edit
set netflow-sampler both
end
=== Or Enable Netflow rx on all interfaces ===
config system interface
edit
set netflow-sampler rx
end
If you enabled set netflow-sampler both on all interfaces this could result in double counting and show increased bandwidth numbers
===== Configuration on Trisul Network Analytics =====
Next, on Trisul perform the following configuration steps
== Netflow configuration file https://www.trisul.org/docs/ref/netflow-config.html ==
source /usr/local/share/trisul-probe/trisbashrc
edit.cfg
(select option 3 to edit Netflow)
Then make the following changes
* Set ''MeterAppID'' to TRUE (to enable AppID)
* Set ''IgnoreOutCounts'' to TRUE
* Set ''MeterTosAsDSCP'' to TRUE
== Creating metering policies ==
After Trisul has been running for a while, it is time to configure some extra metering policies. Do the following
* Create a Crosskey counter group called "FlowIntf_bx_QOS" parent as FlowIntf, crosskey1 as Flow-TOS
* Create a Crosskey counter group called "FlowIntf_bx_GeoAS" parent FlowIntf, crosskey1 as ASNumber
* From the Netflow Wizard enable all Trackers
* From the Netflow Wizard enable all Utilization alerts
Then restart the trisul probe.
This will be a good starting configuration for a Fortigate environment.
=== References ===
1. Fortigate Netflow https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Configure-Netflow/ta-p/196080
2. Trisul Network Analytics - Netflow configuration file https://www.trisul.org/docs/ref/netflow-config.html