Fortiswitch-1000: Using IPFIX for Network Security ForensicsDid you know there is Fortinet IPFIX support on their FortiSwitch-1000 switch?  The other day I was working with a customer who mentioned configuring his Fortinet for IPFIX.  This was a bit of a surprise to me because most Fortinet network devices that I’ve worked with support only sFlow. He said that he had a FortiSwitch-1000, and that it does offer IPFIX Support.

Why is Fortinet IPFIX support such an important change?

SFlow exports random or predetermined packet samples – not actual flows as its name would imply. Reporting on network traffic using sFlow gives you limited traffic detail visibility. When comparing sFlow packet sampling with IPFIX flow technologies in real time environments, administrators will notice immediately that the top 10 hosts or applications will differ considerably.

In real time troubleshooting scenarios, where only the last 5 or so minutes are being observed, packet sampling maybe only be about 50% accurate.  Packet sampling begins to more accurately represent the top N applications or hosts as time goes on.  For some reports (e.g. top hosts), at least an hour should pass before packet sample trends can be considered for a fairly accurate baseline.

IPFIX exports details on all of the traffic flowing through the device. By collecting all of the traffic details, you gain full visibility into all of the traffic traversing a network. By using an advanced monitoring solution, you can report and filter on anything occurring on the network. Security forensics using IPFIX becomes possible because we leverage the flows to aid in detecting advanced persistent threats that may be resident in the conversations taking place on the network.

Security benefits using IPFIX for traffic analysis and detecting advanced persistent threats.

Security forensics using IPFIX to monitor communication behaviors and even maintaining baselines is becoming more prevalent. By collecting flows representing all of the conversations traversing the network, you gain visibility into suspect conversations coming in and out of your network as well as moving laterally inside. When the signatures in the IDS/IPS fail to catch malware, NetFlow and IPFIX can recognize enough odd behaviors
to identify an infection. Collecting flows from all of the firewalls, routers, and switches on your network essentially turns each device into a security probe and provides a great additional security layer to your network intrusion prevention solution.

Let’s walk through the Fortinet IPFIX configuration.

You configure IPFIX by logging in to command line (CLI) and going to Config Mode.

From Config Mode., Type:

ipfix collector <ip_address> all

This enables IPFIX and sends IPFIX information to the collector from all switch ports. (To export information from only one port, replace all with (where is the port from which you wish to export data.)

The default report duration is 15 seconds. I recommend that you change the report duration to 60 seconds, type:

ipfix report-timer 60

The FortiSwitch-1000 sends data traffic to UDP port 2055 by default. If you wish to send traffic to a different port, type:

ipfix collector <ip_address> port <0-65535>

The default behavior of the Fortinet IPFIX Collector command is to enable IPFIX on all ports. The defaults for the parameters it configures are as follows:

  • IPFIX is disabled on all switch ports by default.
  • Switch exports flow data to service port 2055 by default.
  • There are no collectors established by default.
  • IPFIX format is set to version 9 by default.
  • The IPFIX report duration is 15 seconds by default.

Here are some configuration examples:

(Config)# ipfix collector port 2055 all

(Config)# ipfix report-timer 60

That’s it! You are now taking advantage of the available advanced network traffic analysis and security forensics using IPFIX.

Do you have Fortiswitch-1000s in your network infrastructure? We can show you how you can leverage Fortinet IPFIX flow exports to get rich network traffic details.



Scott provides Pre Sales Technical Support to the Sales team at Plixer. Scott comes from a technical support background, having years of experience doing everything from customer account management to system programming. Some of his interests include coaching youth sports programs here in Sanford, playing drums and guitar in local jam bands, and playing in neighborhood lawn dart tournaments.