FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196930



This article explains how to configure support for sFlow.

This feature was introduced in FortiOS 4.0MR2.






- FortiOS samples the network on a per-interface basis. Datagrams are forwarded to the sFlow collector.  It should be noted that the FortiGate does not act as a sFlow collector.


- sFlow agents can be added to any FortiGate interface, including physical interfaces, VLAN interfaces, and aggregate interfaces. However, sFlow agent/client is not supported on some virtual interfaces such as VDOM link, IPSec, gre, and ssl.<vdom>.


- sFlow configuration is available only from the CLI.


- sFlow Sample rate defines the average number of packets to wait between samples, value between 10 to 99999. For example, the default sample-rate of 2000 samples 1 of every 2000 packets.


- The lower the sample-rate the higher the number of packets sampled. Sampling more packets increases the accuracy of the sampling data but also increases the CPU and network bandwidth required to support sFlow. The default sample-rate of 2000 provides high enough accuracy in most cases.

The sFlow configuration is applied either globally, per-vdom, or per-interface, as shown below.
1) Set sFlow collector/server IP on the FortiGate.
# config system sflow
    set collector-ip x.x.x.x
    set collector-port xxxx (default is udp/6343)
To configure it per VDOM:
# config system vdom-sflow

    set vdom-sflow enable
    set collector-ip x.x.x.x

    set collector-port xxxx


2) Configure sFlow agents per interface.
# config system interface
    edit <name>
        set sflow-sampler enable

        set sample-rate xxxx  (sample every xxxx packets).

        set sample-direction both (can be also set for only tx, or only rx).

        set polling-interval xx (in seconds).


It should be noted that:
- For individual sFlow sampler-enabled interfaces, if a per-vdom sFlow is enabled (vdom-sflow) sampling traffic is sent to the per-vdom collector.  In all other scenarios sampling traffic is sent to the management-vdom's collector (management-vdom always uses a global setting).
- Management-vdom can monitor all interfaces.


Related Articles:

Troubleshooting Tip: Sflow and netflow issues

Technical Note : Third party sflow analyzers display incorrect FortiGate interface statistics