FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Article Id 275148
Description This article describes the performance acceleration concerning sFlow and NetFlow.
Scope FortiGate.
Solution

Any traffic received on FortiGate is accelerated with the current Network Processors (NP7, NP7Lite, NP6, NP6XLite, and NP6Lite).

When this is enabled, the performance increases by offloading that packet.

 

Any FortiGate interface, including physical interfaces, VLAN interfaces, and aggregate interfaces, can have sFlow agents attached to it. 

 

The issue with sFlow is that it disables hardware acceleration for traffic on the interfaces it was enabled on FortiGates with Network Processor (NP) acceleration chips. And then all the traffic is processed by the CPU and not by NP, in turn lowering the overall network performance.

 

In the below screenshot, it is possible to see that the CPU is 100% as all the traffic is passed by the CPU:

 

sflow-disables-hardware-acceleration.jpeg

 

Sessions not offloaded to NPUs due to sFlow-enabled interfaces have the 'no_ofld_reason' as 'sflow' in the session table. For example:

 

session info: proto=6 proto_state=01 duration=891 expire=3599 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=persistent
statistic(bytes/packets/allow_err): org=19687/1847/1 reply=57949/1371/1 tuples=2
tx speed(Bps/kbps): 2208/176 rx speed(Bps/kbps): 650/5
orgin->sink: org pre->post, reply pre->post dev=82->119/119->82 gwy=10.5.94.216/10.135.130.1
hook=pre dir=org act=dnat 10.15.37.25:17992->10.13.13.12:1514(10.5.94.21:1514)
hook=post dir=reply act=snat 10.5.94.21:1514->10.154.37.25:17992(10.13.13.12:1514)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=19721 pol_uuid_idx=50578 auth_info=0 chk_client_info=0 vd=0
serial=bac5c4215 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x020000
no_ofld_reason: sflow

 

So, to improve the network performance, and to still use the functionality of the sFlow, use Netflow.

Configuring NetFlow has no impact on offloading of sessions, and it supports NP7, NP7Lite, NP6, NP6XLite, and NP6Lite offloading.

 

Related articles:

Technical Tip: How to configure sFlow

Technical Tip: How to Configure Netflow

sFlow and NetFlow and hardware acceleration | FortiGate / FortiOS 7.6.3 | Fortinet Document Library