Table of Contents
1. FortiGate Traffic-Monitoring Concepts
FortiGate inspects every packet and can keep counters on:
- Interfaces: total bytes in/out per physical or VLAN interface
- Policies: traffic matched per firewall rule
- Sources / Destinations: aggregated by IP address in FortiView
- Applications: using the Application Control engine’s counters
You can view these counters in real time (for troubleshooting), or log them for historical trending and reporting (e.g., via FortiAnalyzer or third-party tools).
2. GUI-Based Monitoring
2.1 Interface Bandwidth Widget
FortiGate’s dashboard can display live graphs for every interface:
- Log in to the web console (
https://<firewall-ip>
). - Go to Dashboard → Status (or Dashboard → Main in older FortiOS versions).
- Click + Add Widget, then select Interface Bandwidth Monitor.
- Choose the interface(s) you want to track (e.g.,
wan1
,lan1
).
Once added, the widget refreshes every 20 seconds, showing current throughput and peak values. Hover over the graph to drill down into specific time slots.
2.2 FortiView Traffic
For deeper visibility, use FortiView:
- Navigate to FortiView → Sources (or Destinations, Applications, etc.).
- At the top-right, select your timeframe (Last 5 minutes, 1 hour, today, custom).
- FortiView lists the top 10 (or 50) talkers by bytes transferred. Click an IP to see session details, protocols, and bytes in/out.
This view is invaluable for quickly identifying which users or applications are consuming the most bandwidth at any given moment.
3. CLI-Based Monitoring
When you need a scripted or SSH-only approach, the CLI provides several commands:
3.1 System-Wide Throughput
# Shows aggregate traffic through the firewall engine, plus CPU/memory
get system performance status
This command reports packets per second, session counts, and CPU/memory usage, but does not break down by interface.
3.2 Per-Interface Counters
# Replace portX with your interface (e.g., wan1, port2)
get hardware nic portX
This displays bytes in/out, errors, and link status for that physical port.
3.3 Real-Time Interface Monitoring
# Shows a continuous, live view of packets and bytes on the interface
diagnose netlink interface monitor portX
Press Ctrl-C to stop. This is similar to iftop
on Linux but built into FortiOS.
4. Per-Source & Per-Application Monitoring
4.1 Bandwidth per Source IP
FortiView (GUI) is the easiest: FortiView → Sources, choose your timeframe, and see instantaneous bps per IP.
For a CLI approach, you can leverage the Application Control counters (if enabled) to see which apps consume the most bandwidth:
# Clear old stats
diagnose stats app-stat-clear
# Wait a short period (e.g., 30–60 seconds), then run:
diagnose stats app-bandwidth
This returns a list of applications and their bytes-per-second rate. While it’s application-centric, you can correlate heavy-use apps back to source IPs in FortiView.
5. External Integration & Historical Reporting
5.1 SNMP Polling
Enable SNMP on your FortiGate and poll the standard interface OIDs (ifInOctets
/ ifOutOctets
) with tools like Cacti, Zabbix, or LibreNMS. SNMP gives you long-term graphing without filling the FortiGate’s internal storage.
5.2 NetFlow / sFlow
Export flow records to a collector (e.g., ntopng, nfdump, or commercial solutions). NetFlow lets you see who talked to whom, on which ports, and how much data was transferred — all broken down per conversation. sFlow can be configured on WAN interfaces for similar visibility.
5.3 FortiAnalyzer & On-Box Reports
If you have internal SSD or a FortiAnalyzer appliance:
- On-box: Enable on-box reporting (
config log report setting
). FortiGate can generate daily bandwidth reports. - FortiAnalyzer: Use pre-defined bandwidth and traffic reports under Report → Traffic. You can schedule PDFs or CSV exports for management.
6. Best Practices & Capacity Planning
- Logging: Ensure your key policies log all sessions (
set logtraffic all
) so FortiView and FortiAnalyzer have complete data. - HTTPS Inspection: Without SSL deep inspection, FortiView only sees domains, not full URLs — plan your certificate deployment accordingly.
- Session Flush: After major changes, clear existing sessions to apply new counters immediately:
execute clear session all
- Threshold Alerts: Use SNMP-based monitoring tools to alert on interface utilization thresholds (e.g., 80% of link capacity).
- Regular Review: Schedule weekly or monthly capacity reviews. Compare peak utilization against your ISP contract to decide on upgrades before congestion hits.
Comments