Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
New Contributor

Created on ‎06-02-2023 01:06 AM

Netflow

Hello,

 

I have 3 question regarding netflow/sflow and hope in this room there are anybody who can help me.

1. As i know fortinet have netflow and sflow feature, which one is more recommended to use?

2. If we apply netflow/sflow in outside interface it's true that captured traffic only showing conversation from NATed Public IP to the internet?

3. If we apply netflow/sflow in inside interface it's true that captured traffic only showing conversation from private ip to the internet?

Labels:
263
0 Kudos
3 REPLIES 3
Stephen_G
Moderator
Moderator

Created on ‎06-05-2023 07:12 AM Edited on ‎06-05-2023 07:15 AM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

In the meantime, perhaps this document will help you decide which type is best for your network to use: https://docs.fortinet.com/document/fortigate/7.2.4/hardware-acceleration/631057/sflow-and-netflow-an...


Thanks,

Stephen - Fortinet Community Team
219
0 Kudos
akristof
Staff
Staff

Created on ‎06-06-2023 02:39 AM

Hi,

I think these links will have most of the answers for your questions.

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/998643/netflow

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/505119/sflow

 

I am not sure which is better, probably sFlow as it has more information about the traffic, but personally I don't have experience with sFlow.

Adrian
202
Yurisk
Valued Contributor

Created on ‎06-06-2023 06:19 AM

Hi, I did both, and from experience:

 

  1. sFlow can only send sampled information, so it provides statistical samples over period of time. It was done to save on agent resources back long time ago by HP, and it was the only protocol supported by Fortigate in the beginning. Today, I don't see value in using sFlow to save resources (unless you monitor 10s of Gigabit traffic, but I have no such set ups) as opposed to Netflow. Netflow can send info either on each packet passing the interface, or sampled  over few packets (Netflow v9). So, Netflow gives you the choice - monitor each packet or a sample. And I haven't seen netflow daemon on FGT to load CPU more than 1-2% even on loaded firewalls. So, I'd recommend to use Netflow. Additionally, being invented by Cisco, Netflow has much more available collectors than sFlow to pick from.
  2. You will see IPs as they present in the packets passing the interface, just before the packet leaves the given interface. So, for WAN interface you will see IPs after Source/Hide NAT was done (i.e. you will see legal IPs).
  3. Not exactly - even in LAN each packet can have Source IP (private) and Destination IP (some host on the Internet).

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
191
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.