Fortigate Trisul Netflow configuration

Trisul can produce deep reports from Fortigate firewalls Netflow feature.

• Traffic analysis
• AppID visibility
• QoS DHCP
• NAT
• etc

# config system netflow
    set collector-ip <Trisul-IPv4-Address>
    set collector-port <2055>
end

 
config system interface 
edit <interface name>
set netflow-sampler both 
end

 
config system interface 
edit <interface name>
set netflow-sampler rx
end

Next, on Trisul perform the following configuration steps

source /usr/local/share/trisul-probe/trisbashrc edit.cfg (select option 3 to edit Netflow)

Then make the following changes

• Set MeterAppID to TRUE (to enable AppID)
• Set IgnoreOutCounts to TRUE
• Set MeterTosAsDSCP to TRUE

After Trisul has been running for a while, it is time to configure some extra metering policies. Do the following

• Create a Crosskey counter group called “FlowIntf_bx_QOS” parent as FlowIntf, crosskey1 as Flow-TOS
• Create a Crosskey counter group called “FlowIntf_bx_GeoAS” parent FlowIntf, crosskey1 as ASNumber
• From the Netflow Wizard enable all Trackers
• From the Netflow Wizard enable all Utilization alerts

Then restart the trisul probe.

This will be a good starting configuration for a Fortigate environment.

1. Fortigate Netflow https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Configure-Netflow/ta-p/196080

2. Trisul Network Analytics - Netflow configuration file https://www.trisul.org/docs/ref/netflow-config.html