Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vkulik
Staff
Staff

Created on ‎03-05-2010 01:48 PM Edited on ‎01-02-2025 09:53 PM By Moderator

Article Id 196930

Technical Tip: How to configure sFlow

Description

 

This article explains how to configure support for sFlow. This feature was introduced in FortiOS 4.0MR2.


Scope


FortiGate.


Solution

 

  • FortiOS samples the network on a per-interface basis. Datagrams are forwarded to the sFlow collector.  It should be noted that the FortiGate does not act as a sFlow collector.
  • sFlow agents can be added to any FortiGate interface, including physical interfaces, VLAN interfaces, and aggregate interfaces. However, sFlow agent/client is not supported on some virtual interfaces such as VDOM link, IPSec, gre, and ssl.<vdom>.
  • sFlow configuration is available only from the CLI.
  • sFlow Sample rate defines the average number of packets to wait between samples, a value between 10 to 99999. For example, the default sample-rate of 2000 samples 1 of every 2000 packets.
  • The lower the sample-rate the higher the number of packets sampled. Sampling more packets increases the accuracy of the sampling data but also increases the CPU and network bandwidth required to support sFlow. The default sample-rate of 2000 provides high enough accuracy in most cases.

 

The sFlow configuration is applied either globally, per-vdom, or per-interface, as shown below.
 
  1. Set sFlow collector/server IP on the FortiGate.
 
config system sflow
    set collector-ip x.x.x.x
    set collector-port xxxx (default is udp/6343)
end
 
To configure it per VDOM:
 
config system vdom-sflow

    set vdom-sflow enable
    set collector-ip x.x.x.x

    set collector-port xxxx

end

 
  1. Configure sFlow agents per interface.
 
config system interface
    edit <name>
        set sflow-sampler enable

        set sample-rate xxxx  (sample every xxxx packets).

        set sample-direction both (can be also set for only tx, or only rx).

        set polling-interval xx (in seconds).

end

 
It should be noted that:
 
  • For individual sFlow sampler-enabled interfaces, if a per-vdom sFlow is enabled (vdom-sflow) sampling traffic is sent to the per-vdom collector.  In all other scenarios sampling traffic is sent to the management-vdom's collector (management-vdom always uses a global setting).
  • Management-vdom can monitor all interfaces.
  • If sflow traffic is not going via the desired exit interface towards the Sflow manager,  then manually set the exit interface:


config system sflow
    config collectors
        edit <id>
            set interface-select-method {auto | sdwan | specify} <----- Specify how to select the outgoing interface to reach the server (default = auto).
            set interface <interface>  <----- Enter the outgoing interface to reach the server.
        next
    end
end

Note: Configuring sFlow on any interface disables all NP7, NP6, NP6XLite, or NP6Lite offloading for all traffic on that interface.

 

Related articles:

Troubleshooting Tip: Sflow and netflow issues

Technical Note : Third party sflow analyzers display incorrect FortiGate interface statistics

Labels:
54420
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.