Description
This article describes why sflow analyzers display incorrect FortiGate interface statistics.
Third party sflow applications display interface statistics based on sflow information received. The interface index reported by a FortiGate in sflow packets can however be different than the ifIndex value of the port numbers.
The application, assuming that the sflow source index reported should match the SNMP ifIndex value, will poll the FortiGate, if configured, for additional SNMP information such as ifDescription, ifSpeed, ifInOctets, ifOutOctets, and will then associate these flows with a different interface.
The application, assuming that the sflow source index reported should match the SNMP ifIndex value, will poll the FortiGate, if configured, for additional SNMP information such as ifDescription, ifSpeed, ifInOctets, ifOutOctets, and will then associate these flows with a different interface.
The mapping should therefore be configured on the sflow analyzer.
Sflow analyzers tested and reporting this are:
- sFlowTrend.
- ManageEngine Netflow Analyzer.
- Plixer Scrutinizer.
This behavior has changed starting from FortiOS 4.0MR3, where the FortiGate sends the interface SNMP index.
An example of a FortiGate 310B configured to export sflow statistics for interface port1, port9 and port10 is given below.
config system sflow
set collector-ip 10.167.1.152
end
config system interface
edit "port1"
set sflow-sampler enable
next
edit "port9"
set sflow-sampler enable
next
edit "port10"
set sflow-sampler enable
next
set collector-ip 10.167.1.152
end
config system interface
edit "port1"
set sflow-sampler enable
next
edit "port9"
set sflow-sampler enable
next
edit "port10"
set sflow-sampler enable
next
sFlowTrend applications will report that sflow are received for interface index 2, 3 and 10, and will try to automatically associate these to physical interface port2, port3, and port10, using SNMP query.
The sflow index to physical interface mapping can be found using the following CLI command:
FGT310B # diagnose netlink interface list
if=port1 family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=8 state=start present flags=up broadcast run promsic multicast
if=port1 family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=8 state=start present flags=up broadcast run promsic multicast
For example, the full index table for the FortiGate 310B unit is given below:
Phy. intf Sflow index
if=lo index=1
if=port10 index=2
if=port9 index=3
if=modem index=4
if=port6 index=5
if=port5 index=6
if=port8 index=7
if=port7 index=8
if=port2 index=9
if=port1 index=10
if=port4 index=11
if=port3 index=12
if=root index=13
if=ssl.root index=14
if=lo index=1
if=port10 index=2
if=port9 index=3
if=modem index=4
if=port6 index=5
if=port5 index=6
if=port8 index=7
if=port7 index=8
if=port2 index=9
if=port1 index=10
if=port4 index=11
if=port3 index=12
if=root index=13
if=ssl.root index=14
Sample sniffer trace for sflow packet:
Related articles:
