Fortigate Netflow

[Khodesaeed]

Hi, Is there anybody success in receiving Fortigate Netflow with this plugin? ASA I send Fortigate Netflow to my td-agent NetFlow plugin, I am facing some large error logs:

2022-05-22 08:43:44 +0430 [warn]: #0 unexpected error on parsing data="\"\\x00\\t\\x00\\x12\\xD ... \xA8q\\x00\"" error_class=RangeError error="bignum too big to convert into `unsigned long long'"
  2022-05-22 08:43:44 +0430 [warn]: #0 suppressed same stacktrace

I did try this template file. but, still no luck.

I appreciate any help.

[Khodesaeed]

I am glad to announce that I've accomplished receiving the Fortigate Netflow traffic through the steps below: First thing first I captured the packets that are sent from the firewall whit this command:

tshark -f "udp port 7070" -i ens192 -V -d "udp.port==7070,cflow" -c10 > somefile

After doing some investigation, I've found out that some types are unknown:

            Unknown Field Type: Type 66: Value (hex bytes): 00 00 00 00
            Unknown Field Type: Type 65: Value (hex bytes): 0c 0c

Finally based on documentation that is provided in README, and facilitating the definitions parameter, I've accomplished parsing the incoming NetFlow traffic.

Template folder:

---
option:
  65:
  - :skip
  66:
  - skip

Fluentd Configuration:

<source>
  @type  netflow
  tag netflow.event
  bind 0.0.0.0
  port <desire_port>
  switched_times_from_uptime yes
  definitions <path_to_the_Template_folder>
</source>

<match netflow.event>
  @type stdout
</match>

STDOUT

2022-05-22 12:33:12.000000000 +0430 netflow.event: {"version":"9","flow_seq_num":"3460764","flowset_id":"258","ipv4_src_addr":"172.30.225.49","ipv4_dst_addr":"149.154.175.54","l4_src_port":65460,"l4_dst_port":80,"tcp_flags":27,"input_snmp":37,"output_snmp":0,"direction":0,"in_bytes":626,"in_pkts":6,"src_tos":0,"protocol":6,"host":"172.30.48.254"}

[Khodesaeed]

Although I can get the data on STDOUt or even file, I can't send the data to the OpenSearch cluster with this method. Still get the ERROR that I mentioned in the first comment.

[berahtlv]

For me error_class=RangeError error="bignum too big to convert into unsigned long long'" error was caused by

  95:
  - 9
  - :app_id

Can be solved by

  95:
  - :string
  - :app_id

or

  95:
  - :skip

My template (the only used :string field is :app_id)

---
option:
  1:
  - 8
  - :in_bytes
  2:
  - 4
  - :in_pkts
  4:
  - :uint8
  - :protocol
  5:
  - :uint8
  - :src_tos
  7:
  - :uint16
  - :l4_src_port
  8:
  - :ip4_addr
  - :ipv4_src_addr
  10:
  - 2
  - :input_snmp
  11:
  - :uint16
  - :l4_dst_port
  12:
  - :ip4_addr
  - :ipv4_dst_addr
  14:
  - 2
  - :output_snmp
  21:
  - :uint32
  - :last_switched
  22:
  - :uint32
  - :first_switched
  23:
  - 8
  - :out_bytes
  24:
  - 4
  - :out_pkts
  27:
  - :ip6_addr
  - :ipv6_src_addr
  28:
  - :ip6_addr
  - :ipv6_dst_addr
  32:
  - :uint16
  - :icmp_type
  34:
  - :uint32
  - :sampling_interval
  35:
  - :uint8
  - :sampling_algorithm
  36:
  - :uint16
  - :flow_active_timeout
  37:
  - :uint16
  - :flow_inactive_timeout
  40:
  - 8
  - :total_bytes_exp
  41:
  - 8
  - :total_pkts_exp
  42:
  - 8
  - :total_flows_exp
  55:
  - :uint8
  - :dst_tos
  65:
  - 2
  - :flow_flags
  66:
  - 4
  - :internet_app_id
  89:
  - :uint8
  - :forwarding_status
  94:
  - :string # 64
  - :app_desc
  95:
  - :string # 9
  - :app_id
  96:
  - :string # 64
  - :app_name
  98:
  - 1
  - :post_ip_diffserv
  136:
  - 1
  - :flow_end_reason
  225:
  - :ip4_addr
  - :post_nat_src_ipv4_addr
  226:
  - :ip4_addr
  - :post_nat_dst_ipv4_addr
  227:
  - :uint16
  - :post_nat_src_l4_port
  228:
  - :uint16
  - :post_nat_dst_l4_port
  281:
  - :ip6_addr
  - :post_nat_src_ipv6_addr
  282:
  - :ip6_addr
  - :post_nat_dst_ipv6_addr
  372:
  - :string # 32
  - :app_cat_name

scope:
  1:
  - 2
  - :system
  2:
  - :skip
  3:
  - :skip
  4:
  - :skip
  5:
  - :skip