Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
New Contributor

Netflow

Hello,

 

I have 3 question regarding netflow/sflow and hope in this room there are anybody who can help me.

1. As i know fortinet have netflow and sflow feature, which one is more recommended to use?

2. If we apply netflow/sflow in outside interface it's true that captured traffic only showing conversation from NATed Public IP to the internet?

3. If we apply netflow/sflow in inside interface it's true that captured traffic only showing conversation from private ip to the internet?

6 REPLIES 6
Stephen_G
Moderator
Moderator

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

In the meantime, perhaps this document will help you decide which type is best for your network to use: https://docs.fortinet.com/document/fortigate/7.2.4/hardware-acceleration/631057/sflow-and-netflow-an...


Thanks,

Stephen - Fortinet Community Team
akristof
Staff
Staff

Hi,

I think these links will have most of the answers for your questions.

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/998643/netflow

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/505119/sflow

 

I am not sure which is better, probably sFlow as it has more information about the traffic, but personally I don't have experience with sFlow.

Adrian
Yurisk
Valued Contributor

Hi, I did both, and from experience:

 

  1. sFlow can only send sampled information, so it provides statistical samples over period of time. It was done to save on agent resources back long time ago by HP, and it was the only protocol supported by Fortigate in the beginning. Today, I don't see value in using sFlow to save resources (unless you monitor 10s of Gigabit traffic, but I have no such set ups) as opposed to Netflow. Netflow can send info either on each packet passing the interface, or sampled  over few packets (Netflow v9). So, Netflow gives you the choice - monitor each packet or a sample. And I haven't seen netflow daemon on FGT to load CPU more than 1-2% even on loaded firewalls. So, I'd recommend to use Netflow. Additionally, being invented by Cisco, Netflow has much more available collectors than sFlow to pick from.
  2. You will see IPs as they present in the packets passing the interface, just before the packet leaves the given interface. So, for WAN interface you will see IPs after Source/Hide NAT was done (i.e. you will see legal IPs).
  3. Not exactly - even in LAN each packet can have Source IP (private) and Destination IP (some host on the Internet).
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
kuzma
New Contributor

Hi, 

I tried the sFlow and got the following result. If the sampler was set to 1/10, then when I sent 1GB of traffic, I saw 100MB in collector. If the sampler is 1/100, then I saw 10MB. If 1/1000, then 1MB. Is this the correct sFlow behavior?

 

Thanks.

kuzma
New Contributor

Nobody knows. Misfortune.

Stephen_G

Hi Kuzma,

 

I recommend creating a new support forum thread to maximize the amount of views you get. Feel free to link to this related thread.

 

Kind regards,

Stephen

Stephen - Fortinet Community Team
Labels
Top Kudoed Authors