Documentation Center
AlienVault® USM Appliance™

Invalid NetFlow Time Stamp Displayed for Fortigate Firewalls

Version: 5.x
Deployment: All deployments

Description

All NetFlow time stamp information displayed on the AlienVault USM Appliance Server is based on data inserted into the incoming FLOW packet.

The template for NetFlow Version 9 Flow-Record Format packet can be found here: http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

In Table 6, NetFlow Version 9 Field Type Definitions, for time stamp data, the affected field types are Type 21 (LAST_SWITCHED) and Type 22 (FIRST_SWITCHED). The displayed time stamp information is generated from the data in these two fields.

To verify the validity of the time stamp information in the inbound packet, perform these steps. You will need a CLI instance on the USM Appliance Server.

  1. The USM Server uses the nfcapd process for the packet capture and collection. This displays all running nfcapd processes and their collection options.
  2. ps aux | grep nfcapd

    Determine which is the process for the Fortigate device. The -l option displays the data capture directory. The -p option shows the reporting port number.

  3. Change directory to the given capture directory:

    cd /var/cache/nfdump/flows//live/<capture-directory-name>/<date_directory> (typical format is YYYY-MM-DD)

    The files in the directory are in raw format, captured every 5 minutes (default).

    The file extension is the date/timestamp of the data collection window. (format is YYYYMMDDhhmm).

  4. Display data packets, using the nfdump command.

This is an example invocation:

nfdump -r nfcapd.201609191510 -o raw -c 1

This will display the first record in the file (-c 1 option), in text format.

Flow Record:

Flags = 0x06 FLOW, Unsampled

export sysid = 1

size = 60

first = 1463259223 [2016-09-14 16:53:43] <-- time stamp data

last = 1463259223 [2016-09-14 16:53:43] <-- time stamp data

msec_first = 604

msec_last = 714

src addr = 192.168.104.8

dst addr = 200.33.146.197

src port = 42073

dst port = 53

..

..

Note the information in the fields first = and last = .

In the example above, the date is five days earlier (09/14) than the capture date window (09/19). If the time stamp data is invalid, the error is coming from the reporting Fortigate firewall device.

Solution

Update the Fortigate firmware to version 5.2.5/5.4 or later.