FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains how to configure support for sFlow, this feature was introduced in FortiOS 4.0MR2.
  • FortiOS samples the network on a per-interface basis. Datagram’s are forwarded to the sFlow collector.  It should be noted that the FortiGate does not act as a sFlow collector.
  • sFlow agents can be added to any FortiGate interface, including physical interfaces, VLAN interfaces, and aggregate interfaces. However, sFlow agent/client is not supported on some virtual interfaces such as VDOM link, IPSec, gre, and ssl.<vdom>.
  • sFlow configuration is available only from the CLI.
  • sFlow Sample rate defines the average number of packets to wait between samples, value between 10 to 99999. For example, the default sample-rate of 2000 samples 1 of every 2000 packets.
    • The lower the sample-rate the higher the number of packets sampled. Sampling more packets increases the accuracy of the sampling data but also increases the CPU and network bandwidth required to support sFlow. The default sample-rate of 2000 provides high enough accuracy in most cases.
The sFlow configuration are applied either globally, per-vdom, or per-interface, as shown below.
1. Set sFlow collector/server IP on the FortiGate.
config system sflow
set collector-ip x.x.x.x
set collector-port xxxx (default udp/6343)
To configure it per VDOM.
config system vdom-sflow

set vdom-sflow [disable*|enable]

set collector-ip x.x.x.x

set collector-port xxxx

2. Configure sFlow agents per interface.
config sys interface


set sflow-sampler [disable*|enable]

set sample-rate xxxx //sample ever xxxx packets

set sample-direction [tx|rx|both*]

set polling-interval xx //in secs


It should be noted that:
  • When sFlow attributes are configured on an interface they are never skipped.
  • For individual sFlow sampler enabled interfaces, if a per-vdom sFlow is enabled (vdom-sflow) sampling traffic is sent to the per-vdom collector.  In all other scenarios sampling traffic is sent to the management-vdom's collector (management-vdom always use global setting).
  • Management-vdom can monitor all interfaces.

Related Articles

Troubleshooting Tip: Sflow and netflow issues

Technical Note : Third party sflow analyzers display incorrect FortiGate interface statistics