Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Device Integration: FortiSwitch FS-448E Netflow

            Modified on Thu, 25 Jun at 9:37 AM

            Table of Contents


            Overview

            To forward NetFlow data from a FortiSwitch FS-448E to ADR SIEM (aiSIEM/aiXDR), enable NetFlow on the switch, specify the ADR CCE as the collector, and configure interfaces for sampling. The CCE collects flow records for analysis by the APE (Analytics and Policy Engine), delivering comprehensive traffic visibility and proactive threat detection. 


            Prerequisites

            • Administrative SSH or console access to the FortiSwitch.

            • The IP address of the ADR CCE server (NetFlow collector).

            • Firewall rules allowing outbound UDP traffic from the FortiSwitch to the CCE on the NetFlow port (default 2055).

            • (If using IPFIX) Ensure the chosen NetFlow/IPFIX port is open between the FortiSwitch and CCE.


            Steps of Configuration

            1. Access the FortiSwitch CLI.
              ssh admin@SwitchIP

            2. Enter NetFlow Configuration Mode.

              config system netflow

            3. Enable NetFlow & Set Collector.

              set collector-ip <CCE_Server_IP_adress>

            4. Optional: Customize Collector Port.

              set collector-port 9995

            5. Optional: Specify Source IP.

              set source-ip SwitchIP

            6. Exit NetFlow Mode.

              end

            Considerations

            • Consider IPFIX: IPFIX (Internet Protocol Flow Information Export) is a standard based on NetFlow version 9 and is often the preferred export format. If you're using IPFIX, make sure your collector is configured to receive it and that you've adjusted the port and other settings accordingly. 
            • FortiLink Considerations: If your FortiSwitch is managed by a FortiGate via FortiLink, you might need to configure NetFlow settings within the FortiGate's VDOMs (Virtual Domains), especially if it's not the management VDOM. 
            • Example Commands (FortiGate VDOM):
              config vdom
edit root (or the specific VDOM name)
config system vdom-netflow
set vdom-netflow enable
set collector-ip <collector_ip_address>
set collector-port <port_number>
set source-ip <source_ip_address>
end
config system interface
edit <interface_name> (e.g., wan1)
set netflow-sampler both
end


            Verification (MSSP Only)

            On ADR SIEM UI

            • Log in to ADR SIEM UI.
            • Navigate to System Logs and Flows > Collection Status.
            • Confirm the FortiSwitch IP appears under Source Device IP and flow records increase.

            On ADR CCE CLI

            sudo tcpdump -i any port 9995 and host SwitchIP -AAA

            Replace SwitchIPwith your FortiSwitch IP. Successful captures indicate active flow forwarding. 


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0