Interpreting NNA Data

[cdienger]

Thanks for the update. Look forward to anything you learn and can share.

[ahoward12]

I spoke to Fortinet support and they are looking for what fields the template is missing?

Also by their request I spun up PRTG because that is what they use to test. While sending both sFlow and NetFlow to to PRTG the values are even worse. I'll attach a picture and sflow is the left side and NeFlow the right. sFlow says 162,000 GB and NetFlow says 2GB, in the same 15 minute period... This has me leaning towards my firewall being on the complete fritz. Fortinet has configs and logs and going over them. I white out some of my IP's, sorry for the not so clean look.

[tgriep]

I have included a screen shot of a Wireshark decode from the tcpdump data you posted from your Fortigate device.
I think the BYTES field should be labelled as IN_BYTES and the PKTS field should be labelled as IN_PKTS.
If those labels get updated, it may fix the issue as the nfcapd files are confusing the OUT_BYTES as the IN_BYTES and that is doubling your data and throwing all of the calculations off.

Fortigate.PNG

[ahoward12]

I relayed the information for Fortinet. Thank you for the quick clarification!

Edit 1: 4/12/2017 - Relayed some more information back forth with fortinet. Still working on the issue...

Edit 2: 4/26/2017 - Still working on it. Losing hope this will get rectified..

Edit 3: 5/8/2017 - Gave them more of the same diags. The ticket is open but hope is lost.

Disregard - Disapproved - Edit 4: 5/23/2017 - As is stands Fortinet has gotten absolutely nowhere on this. However, actively troubleshooting myself, I can't replicate the issue on the 5.2.xx firmware. That is, it works perfectly on an identical Fortigate running 5.2.9 whereas all of these problems arise in the 5.4.x firmware release. Spoken about prior in this discussion the data is still doubled, however aside from that column, it is all correct.

[tgriep]

No problem. Let us know what you find out from Fortigate.

[ahoward12]

Hey Gents, per all of the updates in my last reply Fortinet has really been dragging themselves with this. Here is what they asked me yesterday... The "Fortinet Template" is what I attached from your previous reply of the Wireshark decode..

Hi Ayrek,

Based on the attachment "Fortinet Template.png" on 3/28/2017 5:05:00 PM, could you please get the wireshark or tcpdump file that shows the field information? Or any related information like Nagios template used to collect the data?

I think they want your template, the data fields you're expecting to be filled with their Netflow data.

Any help is appreciated!

[tgriep]

I captured some flow data from an Cisco ASA5505 that I have access to and the screen capture shows the fields that are working on my NNA server.
Pass it along to Fortigate so they can take a look at it.
When you ask Fortigate that is works with the 5.2.9 version but not the 5.4.x version, what do they say about that?

netflow-v9.PNG

[ahoward12]

I relayed the message back to Fortinet. Thank you.

The prior update of it working on a 5.2.9 was a select case, the same issues are being seen on both firmwares. I thought I updated the post again, sorry I forgot.

[tgriep]

Your welcome, no problem about updating the post.

[ahoward12]

Fortinet came back and asked me this after 5 months...

I hope this doesn't sound like a stupid question , but in order to see the same thing as Nagios support , can Nagios confirm which Netflow dissector they are using with Wireshark?