Fortigate Netflow Export

Dec 20th 2025

This guide walks through an example of configuring a FortiGate firewall to export NetFlow to a Trout Access Gate monitoring port.

By the end of this procedure:

  • Your FortiGate will export NetFlow for selected interfaces.
  • Trout Access Gate will ingest those flows on its monitoring port.
  • You will see live flow and port activity inside the Trout Monitoring tab.

This document assumes a FortiGate running FortiOS 7.2.x (for example, a FortiGate 100F with 7.2.12) and a Trout Access Gate already deployed on the same site.

Architecture Overview

In this setup, Trout is not inline and does not replace the FortiGate. The FortiGate continues to route and firewall traffic as usual. Trout simply receives NetFlow metadata from the FortiGate over a separate Ethernet connection.

The setup is as follow:

  • The FortiGate is the main router/firewall for the site.
  • Trout Access Gate has a dedicated monitoring port, cabled to a spare port on the FortiGate or the same switch.
  • The FortiGate sends NetFlow records (UDP) to the IP address of the Trout monitoring port.
  • Trout ingests those flows and turns them into visibility and intelligence in the Monitoring tab.
  • No production traffic flows through the Trout monitoring port; it only receives NetFlow telemetry.

Prerequisites

Before you start, you should have:

  • An IP address assigned to the Trout monitoring port (for example, 192.168.100.10).
  • IP connectivity between the FortiGate and this monitoring IP (same subnet or routed).
  • A decision about which FortiGate interfaces you want to observe (for example, port2 for LAN, port3 for OT network).

Enable NetFlow Ingestion on the Trout Access Gate

First, make sure Trout is ready to accept NetFlow before configuring the FortiGate.

  1. Log in to the Trout Access Gate UI.
  2. Navigate to Settings → Device Port Configuration. And configure which port will be running the Monitor service.
  3. Head to the Monitors page and click "configure Netflow"
  4. Set your listening IP and UDP port (for example, 2055).
  5. Save and apply the changes.

Configure NetFlow Export on the FortiGate

Now you will configure the FortiGate to export netflow logs to the Access Gate on specific interfaces.

The exact commands may vary slightly by model, but for FortiOS 7.2.x the structure is as shown below.

In this example:

  • Trout monitoring IP: 192.168.253.10
  • FortiGate interface IP (same subnet, used as source): 192.168.253.1
  • NetFlow UDP port: 2055
  • Monitored interfaces: port2 and port3

Define the NetFlow collector

Connect to the FortiGate CLI (SSH or console) and run:

config system netflow 
 config collectors 
   edit 1 
   set collector-ip "192.168.253.10" # Trout monitoring port IP 
   set collector-port 2055 # Must match Trout listener 
   set source-ip "192.168.253.1" # FortiGate IP appearing as exporter 
   set interface-select-method auto 
   next 
  end 
 end

Enable NetFlow on selected interfaces

Defining a collector is not enough; you must explicitly enable sampling on each interface whose traffic you want summarized and exported.

For example, to enable NetFlow on port2 and port3:

config system 
  interface edit "port2" 
    set netflow-sampler enable both 
  next 
  edit "port3" 
    set netflow-sampler enable both 
  next
end

We are configuring port2 and port3 to export both incoming and outgoing traffic netflow logs to the Access Gate.

Once this is applied, the FortiGate will start exporting NetFlow v9 to the Trout Access Gate.

Verifying That NetFlow Reaches Trout

After configuration, it’s important to verify traffic is actually flowing from the FortiGate to Trout and being ingested.

Check on the FortiGate

Use the built-in diagnostic command:

diagnose test application netflowd 3

This should show the configured collector, along with counters indicating how many flows and packets have been sent. If the collector does not appear, there is likely a configuration issue in the config system netflow block.

Check on Trout

On the Trout Access Gate:

  • Open the Monitors tab
  • Data should populate

It may take up to a minute for the first flows to appear, depending on the amount of traffic on the monitored interfaces.

What You Should See in the Monitoring Tab:

image