在 VPN 接口上配置 NetFlow

NetFlow 支持在 VPN 接口（如 IPSec Tunnel、SSL VPN Tunnel、IP in IP Tunnel、GRE Tunnel 等）以及 FortiExtender 接口上配置。

NetFlow 配置在 VPN 接口上时，不会影响到 NP 的加速功能。

配置举例

1. 配置 NetFlow collector 信息后，在 IPSec tunnel 接口下开启 NetFlow 采样。

   config system interface
       edit "A-to-B_vpn"
           set vdom "vdom1"
           set type tunnel
           set netflow-sampler both
           set snmp-index 42
           set interface "port3"
       next
   end

2. 查看 NetFlow 采样的状态信息。

   # diagnose test application sflowd 3
   ===== Netflow Vdom Configuration =====
   Global collector:172.18.60.80:[2055] source ip: 0.0.0.0 active-timeout(seconds):60 inactive-timeout(seconds):15
   ____ vdom: vdom1, index=1, is master, collector: disabled (use global config) (mgmt vdom)
      |_ coll_ip:172.18.60.80[2055],src_ip:10.1.100.1,seq_num:60,pkts/time to next template: 15/6
      |_ exported: Bytes:11795591, Packets:48160, Sessions:10 Flows:34
      |____ interface:A-to-B_vpn sample_direction:both device_index:52 snmp_index:42

3. 查看 IPSec 隧道内流量相关会话的 NetFlow 标记。

   # diagnose sys session list
   session info: proto=6 proto_state=01 duration=6 expire=3599 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
   origin-shaper=
   reply-shaper=
   per_ip_shaper=
   class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
   state=may_dirty npu netflow-origin netflow-reply
   statistic(bytes/packets/allow_err): org=6433/120/1 reply=884384/713/1 tuples=2
   tx speed(Bps/kbps): 992/7 rx speed(Bps/kbps): 136479/1091
   orgin->sink: org pre->post, reply pre->post dev=10->52/52->10 gwy=10.2.2.2/10.1.100.22
   hook=pre dir=org act=noop 10.1.100.22:43714->172.16.200.55:80(0.0.0.0:0)
   hook=post dir=reply act=noop 172.16.200.55:80->10.1.100.22:43714(0.0.0.0:0)
   pos/(before,after) 0/(0,0), 0/(0,0)
   src_mac=00:0c:29:ac:ae:4f
   misc=0 policy_id=5 auth_info=0 chk_client_info=0 vd=1
   serial=00003b6c tos=ff/ff app_list=0 app=0 url_cat=0
   sdwan_mbr_seq=0 sdwan_service_id=0
   rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
   npu_state=0x000001 no_offload
   npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
   vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
   no_ofld_reason:  disabled-by-policy
   total session 1

4. 抓包查看 FortiGate 向 Collector 发送的 NetFlow 流量。