Application Enrichment — Fortinet
Enriched fields produced by this configuration are applied and available in the Network Conversations Module output.
FortiGate firewalls export application names as part of their NetFlow v9 records using the FortiOS application control engine, a DPI-based classifier similar in concept to Cisco NBAR2. This allows NFO to report on named layer-7 applications across both encrypted and unencrypted traffic traversing the firewall.
How It Works
FortiOS inspects traffic using its application control signatures and tags each session with an application name before exporting the flow. The NetFlow export runs under the sflowd daemon and supports NetFlow v9 and IPFIX. Application data is included automatically in the flow template when application control is active on the relevant interfaces.
Prerequisites
- FortiOS: 5.2 or later (NetFlow v9 support)
- Application Control: Licensed and enabled on the relevant firewall policy
- Network connectivity: FortiGate must reach the NFO IP on the configured UDP port (default: 9996)
Quick Configuration (CLI)
Step 1 — Configure the global NetFlow collector:
config system netflow
set collector-ip <NFO_IP_ADDRESS>
set collector-port 9996
set source-ip <FORTIGATE_SOURCE_IP>
set active-flow-timeout 1
set inactive-flow-timeout 15
end
Step 2 — Enable NetFlow on each interface:
config system interface
edit <INTERFACE_NAME>
set netflow-sampler both
next
end
Use
bothto capture ingress and egress traffic. Usetxfor egress only orrxfor ingress only.
Step 3 — Verify the configuration:
diagnose test application sflowd 3
diagnose test application sflowd 4
VDOM environments: If VDOMs are enabled, configure per-VDOM NetFlow instead of the global collector:
config system vdom-netflow
set vdom-netflow enable
set collector-ip <NFO_IP_ADDRESS>
set collector-port 9996
set source-ip <FORTIGATE_SOURCE_IP>
end