Technical Tip: Netflow sampler can not be enabled on an Vdom link interface

Creating a NetFlow sampler will not support the VDOM link interface.

For configuration and troubleshooting steps for NetFlow in FortiGate, see Technical Tip: How to Configure Netflow.

The role of the VDOM-Link interface:

A vdom-link interface is a special internal software-based interface used to pass traffic between two Virtual Domains (VDOMs) within the same physical FortiGate. VDOM-Link Interface is not a physical port or a standard VLAN; it is a virtual pipeline. For more information about the VDOM, refer to Inter-VDOM routing.

How NetFlow/sFlow sampling works:

For NetFlow (or sFlow) to function, the sampling engine must be able to inspect packets as they flow through a specific interface. The sampler taps into the packet forwarding path of that interface, creates flow records, and exports them to a collector.

The sampling typically happens at a point in the data plane that is associated with a 'real' ingress or egress interface.

Internal VDOM-to-VDOM traffic via the vdom-link bypasses the standard hardware or software data path hooks where the NetFlow sampler is active. The vdom-link traffic is an internal transaction between two isolated routing instances (VDOMs).

From FortiOS's perspective:

• Traffic enters a physical port in VDOM-A.
• It is processed by VDOM-A's firewall policies/routing.
• It is handed off internally to VDOM-B via vdom-link.
• It is processed by VDOM-B's firewall policies/routing.
• It exits a physical port in VDOM-B.

The NetFlow sampler can only sample traffic on the physical (or logical like VLAN) interfaces in VDOM-A and VDOM-B. The internal handoff point (vdom-link) is not equipped for flow sampling.

Reference output: