Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor




I have 3 question regarding netflow/sflow and hope in this room there are anybody who can help me.

1. As i know fortinet have netflow and sflow feature, which one is more recommended to use?

2. If we apply netflow/sflow in outside interface it's true that captured traffic only showing conversation from NATed Public IP to the internet?

3. If we apply netflow/sflow in inside interface it's true that captured traffic only showing conversation from private ip to the internet?



Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

In the meantime, perhaps this document will help you decide which type is best for your network to use:


Stephen - Fortinet Community Team


I think these links will have most of the answers for your questions.


I am not sure which is better, probably sFlow as it has more information about the traffic, but personally I don't have experience with sFlow.

Valued Contributor

Hi, I did both, and from experience:


  1. sFlow can only send sampled information, so it provides statistical samples over period of time. It was done to save on agent resources back long time ago by HP, and it was the only protocol supported by Fortigate in the beginning. Today, I don't see value in using sFlow to save resources (unless you monitor 10s of Gigabit traffic, but I have no such set ups) as opposed to Netflow. Netflow can send info either on each packet passing the interface, or sampled  over few packets (Netflow v9). So, Netflow gives you the choice - monitor each packet or a sample. And I haven't seen netflow daemon on FGT to load CPU more than 1-2% even on loaded firewalls. So, I'd recommend to use Netflow. Additionally, being invented by Cisco, Netflow has much more available collectors than sFlow to pick from.
  2. You will see IPs as they present in the packets passing the interface, just before the packet leaves the given interface. So, for WAN interface you will see IPs after Source/Hide NAT was done (i.e. you will see legal IPs).
  3. Not exactly - even in LAN each packet can have Source IP (private) and Destination IP (some host on the Internet).

Yuri blog: All things Fortinet, no ads.

All opinions are mine only.