By Manny Fernandez

May 2, 2019

Fortigate / Scrutinizer NetFlow Deployment

Today I had a customer talking to me about Netflow and the Fortigate.  To demonstrate the functionality, I decided to write a blog post about it.  I used to use a Netflow collector named Scrutinizer.  I found that it is still available and there is a “community” version of it.  I went ahead and downloaded it.

In this post, I will go through the deployment of the OVF as well as the Fortigate configuration (which is a few lines only).

Let’s get started.

Deploying the VM

After you download the files, you will have three files: .vmdk, .ovf, .pdf

 

2019-05-01_23-44-34.png

2019-05-01_22-44-36.png

Log into your VM environment.  Choose ‘Create / Register VM’

2019-05-01_22-45-24.png

Choose the ‘Deploy a virtual machine from an OVF or OVA file’ and choose ‘Next’

2019-05-01_22-46-22.png

Name the VM and drag the .ovf and .vmdk file into the box and choose ‘Next’.

2019-05-01_22-47-25.png

Choose the network that has access to the Fortigate and choose ‘Next’

2019-05-01_22-49-13.png

You will need to wait for the process to finish before you can power up the VM.

2019-05-01_23-14-29.png

Log into the VM with the following credentials:

username: root

Password: scrutinizer

Fill in the IP address, mask, gateway, DNS server as well as NTP server IP.

2019-05-01_23-16-15

You will now need to configure the TLS support for the console.  You will need to fill out a series of questions such as the port to use, certificate type information (e.g. key size).

2019-05-01_23-18-02.png

You will be asked to change the password for the ‘root’ user as well as the ‘plixer’ user.  The VM will reboot.  Once it is done rebooting, point your browser to the IP using any custom port if applicable (in my case https://10.1.106.125)

2019-05-01_23-19-27.png

Login in with ‘admin’ ‘admin’ then choose ‘LOGIN’

Configuring the Fortigate Firewall

Now we are going to SSH to the Fortigate.  You can use the SSH from the GUI if you want.

2019-05-01_23-29-07.png

From the CLI, you can configure the IP address for the Scrutinizer VM as well as the port it is listening on.  By default, it uses TCP 6343.

Now we need to configure Netflow on the interface you want to track.

2019-05-01_23-28-09.png

Above, you can see the netflow sampler is enabled on the interface with the keyword ‘both’ meaning it will see inbound and outbound.

Results

You can see in the dashboard that we are now seeing traffic.  Granted, most of this information is visible with a FortiAnalyzer but Netflow is a valuable technology.  You can also do this with FortiSwitches as well.

results.png

Hope this helps.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story