I have a network of Fortigate firewalls and HP Switches in 8 different sites.
I would like to have an idea, suggestion on the deployment strategy for NTA for getting the best and most complete information possible.
Our environment basically layed out so that switches are only configured as L2 devices with multiple VLANs. The Fortigates are doing the heavy lifting as L3 routing devices, as well as Firewall policies and UTM functions. I currently have the Firewalls sending SFLOW/NFLOW information to the NTA engine. Im wondering if this is the best scenario, or should this info come directly from the switches? Our CORe is HP 5500 and distribution is HP procurve.
If all of the same traffic that flows through your switches also flows through your Fortigates then you should be good. The catch is finding the least number of places in your network to capture all of the traffic. One thing I might warn though is having the Fortigates do too much, I don't know which specific models you are using but I do know that if you try to have some of their models do too much it overwhelms them.