CCNA 200-301

CCNP Enterprise

CCNP Security

CCIE Enterprise Lab

CCIE Security Lab

CCNP Service Provider

CCNP Data Center

CCNP Collaboration

CCIE DC Lab

1. FortiGate Traffic-Monitoring Concepts

FortiGate inspects every packet and can keep counters on:

  • Interfaces: total bytes in/out per physical or VLAN interface
  • Policies: traffic matched per firewall rule
  • Sources / Destinations: aggregated by IP address in FortiView
  • Applications: using the Application Control engine’s counters

You can view these counters in real time (for troubleshooting), or log them for historical trending and reporting (e.g., via FortiAnalyzer or third-party tools).

2. GUI-Based Monitoring

2.1 Interface Bandwidth Widget

FortiGate’s dashboard can display live graphs for every interface:

  1. Log in to the web console (https://<firewall-ip>).
  2. Go to Dashboard → Status (or Dashboard → Main in older FortiOS versions).
  3. Click + Add Widget, then select Interface Bandwidth Monitor.
  4. Choose the interface(s) you want to track (e.g., wan1, lan1).

Once added, the widget refreshes every 20 seconds, showing current throughput and peak values. Hover over the graph to drill down into specific time slots.

2.2 FortiView Traffic

For deeper visibility, use FortiView:

  1. Navigate to FortiView → Sources (or Destinations, Applications, etc.).
  2. At the top-right, select your timeframe (Last 5 minutes, 1 hour, today, custom).
  3. FortiView lists the top 10 (or 50) talkers by bytes transferred. Click an IP to see session details, protocols, and bytes in/out.

This view is invaluable for quickly identifying which users or applications are consuming the most bandwidth at any given moment.

3. CLI-Based Monitoring

When you need a scripted or SSH-only approach, the CLI provides several commands:

3.1 System-Wide Throughput

# Shows aggregate traffic through the firewall engine, plus CPU/memory
get system performance status

This command reports packets per second, session counts, and CPU/memory usage, but does not break down by interface.

3.2 Per-Interface Counters

# Replace portX with your interface (e.g., wan1, port2)
get hardware nic portX

This displays bytes in/out, errors, and link status for that physical port.

3.3 Real-Time Interface Monitoring

# Shows a continuous, live view of packets and bytes on the interface
diagnose netlink interface monitor portX

Press Ctrl-C to stop. This is similar to iftop on Linux but built into FortiOS.

4. Per-Source & Per-Application Monitoring

4.1 Bandwidth per Source IP

FortiView (GUI) is the easiest: FortiView → Sources, choose your timeframe, and see instantaneous bps per IP.

For a CLI approach, you can leverage the Application Control counters (if enabled) to see which apps consume the most bandwidth:

# Clear old stats
diagnose stats app-stat-clear

# Wait a short period (e.g., 30–60 seconds), then run:
diagnose stats app-bandwidth

This returns a list of applications and their bytes-per-second rate. While it’s application-centric, you can correlate heavy-use apps back to source IPs in FortiView.

5. External Integration & Historical Reporting

5.1 SNMP Polling

Enable SNMP on your FortiGate and poll the standard interface OIDs (ifInOctets / ifOutOctets) with tools like Cacti, Zabbix, or LibreNMS. SNMP gives you long-term graphing without filling the FortiGate’s internal storage.

5.2 NetFlow / sFlow

Export flow records to a collector (e.g., ntopng, nfdump, or commercial solutions). NetFlow lets you see who talked to whom, on which ports, and how much data was transferred — all broken down per conversation. sFlow can be configured on WAN interfaces for similar visibility.

5.3 FortiAnalyzer & On-Box Reports

If you have internal SSD or a FortiAnalyzer appliance:

  • On-box: Enable on-box reporting (config log report setting). FortiGate can generate daily bandwidth reports.
  • FortiAnalyzer: Use pre-defined bandwidth and traffic reports under Report → Traffic. You can schedule PDFs or CSV exports for management.

6. Best Practices & Capacity Planning

  • Logging: Ensure your key policies log all sessions (set logtraffic all) so FortiView and FortiAnalyzer have complete data.
  • HTTPS Inspection: Without SSL deep inspection, FortiView only sees domains, not full URLs — plan your certificate deployment accordingly.
  • Session Flush: After major changes, clear existing sessions to apply new counters immediately:
execute clear session all
  • Threshold Alerts: Use SNMP-based monitoring tools to alert on interface utilization thresholds (e.g., 80% of link capacity).
  • Regular Review: Schedule weekly or monthly capacity reviews. Compare peak utilization against your ISP contract to decide on upgrades before congestion hits.
Please follow and like us:
Last modified: May 22, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.