sFlow can only send sampled information, so it provides statistical samples over period of time. It was done to save on agent resources back long time ago by HP, and it was the only protocol supported by Fortigate in the beginning. Today, I don't see value in using sFlow to save resources (unless you monitor 10s of Gigabit traffic, but I have no such set ups) as opposed to Netflow. Netflow can send info either on each packet passing the interface, or sampled over few packets (Netflow v9). So, Netflow gives you the choice - monitor each packet or a sample. And I haven't seen netflow daemon on FGT to load CPU more than 1-2% even on loaded firewalls. So, I'd recommend to use Netflow. Additionally, being invented by Cisco, Netflow has much more available collectors than sFlow to pick from.
You will see IPs as they present in the packets passing the interface, just before the packet leaves the given interface. So, for WAN interface you will see IPs after Source/Hide NAT was done (i.e. you will see legal IPs).
Not exactly - even in LAN each packet can have Source IP (private) and Destination IP (some host on the Internet).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.