OK, I have Netflow reporting coming from our Fortigate FW on both the inside and outside interfaces. This Firewall has an internal IP of 10.10.10.1 and and external IP 220.127.116.11 and is PATing all internal traffic to the external IP (18.104.22.168).
1. From NTA, if I click the Outside interface, select Ingress I see my top endpoint as my External interface (22.214.171.124) which makes perfect sense (all my internal traffic NAT's to this IP). BUT my 2nd top endpoint is 10.10.10.139 (an internal address). Why looking at Ingress Netflow on my Outside interface would I see any internal IP's (10.10.10.x)?
2. From NTA, if I click on the Inside interface, select Ingress I see my top endpoint as the IP of my External interface (126.96.36.199). No traffic from the Inside network terminates on this Outside interface. Why is this showing as a top endpoint?
3. From NTA, if I click on the Inside interface, select Ingress I see the top conversation is between my External interface (188.8.131.52) and 184.108.40.206 (google). This would make sense if I selected "Outside" interface but I'm looking at our "Inside" interface. I dont think 220.127.116.11 shouldn't even be on that list?