• 在VPN接口上配置NetFlow
  • 配置举例

在VPN接口上配置NetFlow

NetFlow支持在VPN接口（如IPSec Tunnel、SSL VPN Tunnel、IP in IP Tunnel、GRE Tunnel等）以及FortiExtender接口上配置。

NetFlow配置在VPN接口上时，不会影响到NP的加速功能。

配置举例

1. 配置NetFlow collector信息后，在IPSec tunnel接口下开启NetFlow采样。

   config system interface
       edit "A-to-B_vpn"
           set vdom "vdom1"
           set type tunnel
           set netflow-sampler both
           set snmp-index 42
           set interface "port3"
       next
   end
   

2. 查看NetFlow采样的状态信息。

   # diagnose test application sflowd 3
   ===== Netflow Vdom Configuration =====
   Global collector:172.18.60.80:[2055] source ip: 0.0.0.0 active-timeout(seconds):60 inactive-timeout(seconds):15
   ____ vdom: vdom1, index=1, is master, collector: disabled (use global config) (mgmt vdom)
      |_ coll_ip:172.18.60.80[2055],src_ip:10.1.100.1,seq_num:60,pkts/time to next template: 15/6
      |_ exported: Bytes:11795591, Packets:48160, Sessions:10 Flows:34
      |____ interface:A-to-B_vpn sample_direction:both device_index:52 snmp_index:42
   

3. 查看IPSec隧道内流量相关会话的NetFlow标记。

   # diagnose sys session list
   session info: proto=6 proto_state=01 duration=6 expire=3599 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
   origin-shaper=
   reply-shaper=
   per_ip_shaper=
   class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
   state=may_dirty npu netflow-origin netflow-reply
   statistic(bytes/packets/allow_err): org=6433/120/1 reply=884384/713/1 tuples=2
   tx speed(Bps/kbps): 992/7 rx speed(Bps/kbps): 136479/1091
   orgin->sink: org pre->post, reply pre->post dev=10->52/52->10 gwy=10.2.2.2/10.1.100.22
   hook=pre dir=org act=noop 10.1.100.22:43714->172.16.200.55:80(0.0.0.0:0)
   hook=post dir=reply act=noop 172.16.200.55:80->10.1.100.22:43714(0.0.0.0:0)
   pos/(before,after) 0/(0,0), 0/(0,0)
   src_mac=00:0c:29:ac:ae:4f
   misc=0 policy_id=5 auth_info=0 chk_client_info=0 vd=1
   serial=00003b6c tos=ff/ff app_list=0 app=0 url_cat=0
   sdwan_mbr_seq=0 sdwan_service_id=0
   rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
   npu_state=0x000001 no_offload
   npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
   vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
   no_ofld_reason:  disabled-by-policy
   total session 1
   

4. 抓包查看FortiGate向Collector发送的NetFlow流量。