Friday, May 3, 2013

Basic sflow configuration on fortigate

-->
 In this post, we are going to look at sflow with IPv4 on a fortigate  firewall. 


1st build the  sflow collector details, I’m running sflowd on a unix host inside a  network. 



My sflow daemon is configured for  port 7001 and uses udp.


config system sflow

    set collector-ip 10.10.100.9

    set collector-port 7001

end


Next we need to enable the  interface(s) for the sflow exportation & then we enable it.

(see orange sflow cfg )

config system interface

    edit "NET01"

        set vdom "root"

        set ip x.x.x.2 255.255.255.0

        set allowaccess ping https ssh

        set sample-rate 100

        set polling-interval 10

        set alias "EXT_NTWORK1 LAX"

            config ipv6

                set ip6-address 2001:xx:xx:1::20/64

                set ip6-allowaccess ping https ssh

            end

        set sflow-sampler enable

        set interface "port1"

        set vlanid 123

    next

end



Now the fortigate will export sflow details to the collector so that we can run analysis.
   

 Using tshark 1.12.X or any sflow capture tool, we can validate flow exporations;

781 100.308855  10.10.100.1 -> 10.10.100.9  sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 780, 2 samples

782 100.431476  10.10.100.1 -> 10.10.100.9  sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 781, 1 samples

783 100.569314  10.10.100.1 -> 10.10.100.9  sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 782, 1 samples

784 100.661278  10.10.100.1 -> 10.10.100.9  sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 783, 1 samples

785 100.802293  10.10.100.1 -> 10.10.100.9  sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 784, 1 samples

786 100.924704  10.10.100.1 -> 10.10.100.9  sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 785, 1 samples

787 101.029858  10.10.100.1 -> 10.10.100.9  sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 786, 1 samples

788 101.192785  10.10.100.1 -> 10.10.











Here’s a decode of a sflow datagram for ethernet frame;


InMon sFlow

    datagram version: 5

    address type: IP_V4 (1)

    agent address: 10.10.100.1 (10.10.100.1)

    Sub-agent ID: 0

    Sequence number: 1893

    SysUptime: 225000

    NumSamples: 1

    Flow sample, seq 1893, Raw header

        0000 0000 0000 0000 0000 .... .... .... = sFlow sample type enterprise: 0

        .... .... .... .... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)

        Sample length: 132

        Sample sequence number: 1893

        Source ID type: ifIndex (0)

        Source ID index: 23

        Sampling rate: 100

        Sample pool: 188800

        Dropped packets: 0

        Input interface index: 0

        0... .... .... .... .... .... .... .... = Multiple outputs: No

        Output interface index: 23

        Number of records: 1

        Sample type: Raw header (1)

        Recordlength: 92

        Header protocol: Ethernet (1)

        Framelength: 74

        Stripped bytes: 4

        Headerlength: 76

        Header of sampled packet: 00169C6F680000090F093C0208004500003C000040003F06...

            Ethernet II, Src: Fortinet_09:3c:02 (00:09:0f:09:3c:02), Dst: Cisco_6f:68:00 (00:16:9c:6f:68:00)

                Destination: Cisco_6f:68:00 (00:16:9c:6f:68:00)^C





And here’s a l3  export, you can specify the sequence# if know by the 'sflow.sequence_number==XXXX', where XXXX is the sflow sequence number.


InMon sFlow

    datagram version: 5

    address type: IP_V4 (1)

    agent address: 10.10.100.1 (10.10.100.1)

    Sub-agent ID: 0

    Sequence number: 1891

    SysUptime: 225000

    NumSamples: 1

    Flow sample, seq 1891, Raw header

        0000 0000 0000 0000 0000 .... .... .... = sFlow sample type enterprise: 0

        .... .... .... .... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)

        Sample length: 124

        Sample sequence number: 1891

        Source ID type: ifIndex (0)

        Source ID index: 23

        Sampling rate: 100

        Sample pool: 188600

        Dropped packets: 0

        Input interface index: 23

        0... .... .... .... .... .... .... .... = Multiple outputs: No

        Output interface index: 0

        Number of records: 1

        Sample type: Raw header (1)

        Recordlength: 84

        Header protocol: Ethernet (1)

        Framelength: 66

        Stripped bytes: 4

        Headerlength: 68

        Header of sampled packet: 00090F093C0200169C6F680008004500003402ED40007606...

            Ethernet II, Src: Cisco_6f:68:00 (00:16:9c:6f:68:00), Dst: Fortinet_09:3c:02 (00:09:0f:09:3c:02)

                Destination: Fortinet_09:3c:02 (00:09:0f:09:3c:02)

                    Address: Fortinet_09:3c:02 (00:09:0f:09:3c:02)

                    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

                    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

                Source: Cisco_6f:68:00 (00:16:9c:6f:68:00)

                    Address: Cisco_6f:68:00 (00:16:9c:6f:68:00)

                    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

                    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

                Type: IP (0x0800)

            Internet Protocol, Src: 71.34.5.116 (71.34.5.116), Dst: 192.0.2.107 (192.0.2.107)

                Version: 4

                Header length: 20 bytes

                Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

                    0000 00.. = Differentiated Services Codepoint: Default (0x00)

                    .... ..0. = ECN-Capable Transport (ECT): 0

                    .... ...0 = ECN-CE: 0

                Total Length: 52

                Identification: 0x02ed (749)

                Flags: 0x02 (Don't Fragment)

                    0.. = Reserved bit: Not Set

                    .1. = Don't fragment: Set

                    ..0 = More fragments: Not Set

                Fragment offset: 0

                Time to live: 118

                Protocol: TCP (0x06)

                Header checksum: 0x3e6b [correct]

                    [Good: True]

                    [Bad : False]

                Source: 71.34.5.116 (71.34.5.116)

                Destination: 192.0.2.107 (192.0.2.107)

            Transmission Control Protocol, Src Port: 52722 (52722), Dst Port: http (80), Seq: 4114215056

                Source port: 52722 (52722)

                Destination port: http (80)

                [Stream index: 1774]

                Sequence number: 4114215056    (relative sequence number)

                Header length: 32 bytes

                Flags: 0x02 (SYN)

                    0... .... = Congestion Window Reduced (CWR): Not set

                    .0.. .... = ECN-Echo: Not set

                    ..0. .... = Urgent: Not set

                    ...0 .... = Acknowledgement: Not set

                    .... 0... = Push: Not set

                    .... .0.. = Reset: Not set

                    .... ..1. = Syn: Set

                        [Expert Info (Chat/Sequence): Connection establish request (SYN): server port http]

                            [Message: Connection establish request (SYN): server port http]

                            [Severity level: Chat]

                            [Group: Sequence]

                    .... ...0 = Fin: Not set

                Window size: 8192

                Checksum: 0xd7a4 [validation disabled]

                    [Good Checksum: False]

                    [Bad Checksum: False]

                Options: (12 bytes)

                    Maximum segment size: 1452 bytes

                    NOP

                    Window scale: 2 (multiply by 4)

                    NOP

                    NOP

                    SACK permitted

And lastly here’s a flow with data attached;
 (see orange )

InMon sFlow

    datagram version: 5

    address type: IP_V4 (1)

    agent address: 10.10.100.1 (10.10.100.1)

    Sub-agent ID: 0

    Sequence number: 2

    SysUptime: 0

    NumSamples: 1

    Flow sample, seq 2, Raw header

        0000 0000 0000 0000 0000 .... .... .... = sFlow sample type enterprise: 0

        .... .... .... .... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)

        Sample length: 184

        Sample sequence number: 2

        Source ID type: ifIndex (0)

        Source ID index: 23

        Sampling rate: 100

        Sample pool: 300

        Dropped packets: 0

        Input interface index: 0

        0... .... .... .... .... .... .... .... = Multiple outputs: No

        Output interface index: 23

        Number of records: 1

        Sample type: Raw header (1)

        Recordlength: 144

        Header protocol: Ethernet (1)

        Framelength: 967

        Stripped bytes: 4

        Headerlength: 128

        Header of sampled packet: 00169C6F680000090F093C020800450003B967A940003F06...

            Ethernet II, Src: Fortinet_09:3c:02 (00:09:0f:09:3c:02), Dst: Cisco_6f:68:00 (00:16:9c:6f:68:00)

                Destination: Cisco_6f:68:00 (00:16:9c:6f:68:00)

                    Address: Cisco_6f:68:00 (00:16:9c:6f:68:00)

                    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

                    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

                Source: Fortinet_09:3c:02 (00:09:0f:09:3c:02)

                    Address: Fortinet_09:3c:02 (00:09:0f:09:3c:02)

                    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

                    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

                Type: IP (0x0800)

            Internet Protocol, Src: 192.0.2.115 (192.0.2.115), Dst: 108.245.201.14 (108.245.201.14)

                Version: 4

                Header length: 20 bytes

                Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

                    0000 00.. = Differentiated Services Codepoint: Default (0x00)

                    .... ..0. = ECN-Capable Transport (ECT): 0

                    .... ...0 = ECN-CE: 0

                Total Length: 953

                Identification: 0x67a9 (26537)

                Flags: 0x02 (Don't Fragment)

                    0.. = Reserved bit: Not Set

                    .1. = Don't fragment: Set

                    ..0 = More fragments: Not Set

                Fragment offset: 0

                Time to live: 63

                Protocol: TCP (0x06)

                Header checksum: 0x23b4 [correct]

                    [Good: True]

                    [Bad : False]

                Source: 192.0.2.115 (192.0.2.115)

                Destination: 108.245.201.14 (108.245.201.14)

            Transmission Control Protocol, Src Port: http (80), Dst Port: 63526 (63526), Seq: 2855808909, Ack: 3593181448

                Source port: http (80)

                Destination port: 63526 (63526)

                [Stream index: 2]

                Sequence number: 2855808909    (relative sequence number)

                Acknowledgement number: 3593181448    (relative ack number)

                Header length: 20 bytes

                Flags: 0x19 (FIN, PSH, ACK)

                    0... .... = Congestion Window Reduced (CWR): Not set

                    .0.. .... = ECN-Echo: Not set

                    ..0. .... = Urgent: Not set

                    ...1 .... = Acknowledgement: Set

                    .... 1... = Push: Set

                    .... .0.. = Reset: Not set

                    .... ..0. = Syn: Not set

                    .... ...1 = Fin: Set

                        [Expert Info (Chat/Sequence): Connection finish (FIN)]

                            [Message: Connection finish (FIN)]

                            [Severity level: Chat]

                            [Group: Sequence]

                Window size: 66

                Checksum: 0x646c [unchecked, not all data available]

                    [Good Checksum: False]

                    [Bad Checksum: False]

            Hypertext Transfer Protocol

                Data (74 bytes)



0000  f8 4e 0f 22 52 91 8b 98 ad 48 55 5c ca d9 ae 44   .N."R....HU\...D

0010  df 64 16 ed 39 80 77 31 97 10 27 ef d6 97 e1 b0   .d..9.w1..'.....

0020  9c 47 48 18 99 be ae 32 2a 10 0d 42 2f 29 12 c5   .GH....2*..B/)..

0030  cd dc a7 86 1d 42 dc 9c cf ae ac 11 dd e5 5f f4   .....B........_.

0040  91 a4 44 f8 16 88 54 8b 15 68                     ..D...T..h

                    Data: F84E0F2252918B98AD48555CCAD9AE44DF6416ED39807731...

                    [Length: 74]





As you can see sflow is great and can do and provide more details than netflow. It can be intensive, so it’s always best to  sample at a level that provides you just enough details for your network flow analysis.

 key take aways

  • sflow provide l2 and l3 flow information ( headers )
  • more details regarding the flow than netflow but......
  • supports both  ipv4 and ipv6 systems  and ethernet or non-IP datagrams
  • provides multicast information which is always a challenge in  both netflow/sflow exports
  • supports limited devices and systems ( not as popular as netflow )
  • most newier devices such as ; firewall,proxy,slb,switches,routers support sflow
  • requires polling and  sampler rates to be set
  • the S in Sflow means "sampled" and is a direct requirement
  • sflow and netflow works very much different , and you can't compare these one on one
  • as your data rate goes up, you sflow exportation will increase, it's direction porportional to traffic rate than netflow which works on flow cache information


Ken Felix
Freelance Network/Security Engineer
Kfelix –a-t- hyperfeed  ---d-o-t--- com

       ^     ^
 = ( @  @ ) =
          *
          ~



No comments:

Post a Comment