cancel
Showing results for 
Search instead for 
Did you mean: 

NetFlow showing impossible flows

NetFlow showing impossible flows

Jesse_Ohlsson
New Contributor II
Good morning, everyone. Last week, I configured one of our FortiGate 100D firewalls to send NetFlow datagrams to my new Management Center server. I began seeing data immediately. However, I'm receiving reports of impossible flows:

0d2ec32888154cd8a03e62657296bd47_RackMultipart20160801-103420-1ck30d4-Fortigate_netflow_2_inline.jpg



I sorted the flows in descending order of TX and RX Bytes in those two images, respectively.

It's just not a possible amount of traffic. This isn't the first time I've encountered these crazy NetFlow statistics with Management Center, though. Last year, at a different organization, I was testing the feasibility of using Management Center to manage a Cisco network (it isn't very feasible, by the way), and I encountered similar impossible flows when I enabled reporting our our Cisco Catalyst 6513.

My evaluation license in Management Center expired before I discovered the source of those impossible flows.

The situation at my organization now is that we have fielded Summit X440 switches at remote locations, which are using FortiGate 100D firewalls as their gateways. From a flow monitoring perspective of network management, it makes sense to collect the flow data from the firewalls (which are capable of NetFlow v9, required by Management Center). The X440 switches are not able to report Netflow, and Management Center is unable to collect sFlow (which the X440 switches can report).

I've asked the Fortinet community about the possibility of filtering the NetFlow datagrams at the source, although their user community seems to be largely a ghost town.

Is it possible for me to ignore these flows at the Management Center? They are making half of the Analytics dashboard useless, by filling panes that sort by bandwidth with noise:

0d2ec32888154cd8a03e62657296bd47_RackMultipart20160801-125691-1gqrvb5-Fortigate_netflow_dashboard_inline.jpg



Any dashboard pane that reports TopN of anything by bandwidth shows those impossible flows, masking anything of use to me about our networks.

How to make Management Center report on flows only concerning our networks? Or, how to make it ignore that noise? Those are the problems I need to solve to make NetSight Analytics of any use to us.

21 REPLIES 21

Jeremy_Gibbs
Contributor
Also, my brain instantly screamed routing loop when I saw that.

Jeremy_Gibbs
Contributor
If NETFLOW is reporting it, I bet it's actually true and you have more of a problem than you think.
GTM-P2G8KFN