Using sFlow to monitor network traffic
FortiGate includes support for sFlow, a monitoring solution that uses packet sampling to monitor network traffic. You can use sFlow to identify issues in your organization’s network that might impact performance. Because the packet information that sFlow collects and sends is only a sampling of your network data, it has minimal impact on the performance of your network.
The sFlow solution consists of the following components:
- sFlow Agent: Collects packet information, such as packet flow samples and interface counters
- sFlow Datagrams: Contains the packet information
- sFlow Collector: Analyzes the packet information and provides real-time reporting on your network traffic
The sFlow Agent is embedded in the FortiGate. After you configure sFlow on a FortiGate, the sFlow Agent captures packet information, combines the information into sFlow Datagrams, and sends them to the sFlow Collector. The sFlow Collector analyzes the sFlow Datagrams and presents the information so that you can see the source of potential traffic issues. The FortiGate doesn’t act as an sFlow Collector. sFlow Collector software is available from third-party software vendors.
The sFlow Agent performs packet sampling on packets that arrive on a FortiGate interface to determine which ones to copy and send to the sFlow Collector. The packet information sFlow collects depends on the type of FortiGate interface. If you enable sFlow on an internal interface, when the interface receives packets from devices with private IP addresses, the packet information that sFlow collects includes the private IP addresses. If you enable sFlow on an external (WAN) interface, when the interface receives packets to route to or from the Internet, the packet information that sFlow collects includes the IP address of the WAN interface as the source or destination interface, depending on the direction of the traffic. It doesn’t include IP addresses that are NAT’d (Network Address Translation) on another interface.
sFlow Datagrams contain the following information:
- Packet headers, such as MAC, IPv4, and TCP
- Sample process parameters, such as rate and pool
- Input and output ports
- Priority (802.1p and ToS)
- VLAN (802.1Q)
- Source prefixes, destination prefixes, and next hop addresses
- BGP source AS, source peer AS, destination peer AS, communities, and local preference
- User IDs (TACACS, RADIUS) for source and destination
- Interface statistics (RFC 1573, RFC 2233, and RFC 2358)
FortiOS implements sFlow version 5. For more information about sFlow, sFlow Collector software, and sFlow MIBs, visit www.sflow.org.
Configuring sFlow on a FortiGate
You can configure sFlow globally, for VDOMs, or for interfaces on a FortiGate. When you configure sFlow for an interface, you can configure the rate that the sFlow Agent samples traffic and the direction of that traffic. You can also set the frequency that the sFlow Agent sends sFlow Datagrams to the sFlow Collector.
You configure sFlow in the FortiGate CLI, by performing the following tasks:
- Configure destination information for sFlow Datagrams. This also configures sFlow globally on the FortiGate.
- Optionally, configure sFlow for one of the following:
- A virtual domain (VDOM)
- An interface
Prerequisites
- Install and configure an sFlow Collector
Configure destination information for sFlow Datagrams – CLI:
config system sflow
set collector-ip <ipv4_address>
set collector-port <port_number>
set source-ip <ipv4_address>
end
where you set the following variables:
CLI option |
Description |
---|---|
|
The IPv4 address of the sFlow Collector |
|
The UDP port number that the sFlow Agent on the FortiGate uses to send sFlow Datagrams to the sFlow Collector. The default value is 6343. Don’t change this setting unless the sFlow Collector or network configuration requires you to change it. |
|
The source IPv4 address that the FortiGate uses to send sFlow Datagrams to the sFlow Collector This setting is optional. If you don't configure a source IP address, the FortiGate uses the source IP address of the port through which it sends the sFlow Datagram. |
Configure sFlow for a VDOM – CLI:
When you configure sFlow for a VDOM, you specify the sFlow Collector that the VDOM will use. To have the VDOM use the sFlow Collector that's configured globally on the FortiGate, don't enter values for the collector-ip and collector-port options. To have the VDOM use a different sFlow collector, enter values for these options.
config system vdom-sflow
set vdom-sflow enable
set collector-ip <ipv4_address>
set collector-port <port_number>
set source-ip <ipv4_address>
end
where you set the following variables:
CLI option |
Description |
---|---|
|
The IPv4 address of the sFlow Collector |
|
The UDP port number that the sFlow Agent on the FortiGate uses to send sFlow Datagrams to the sFlow Collector. The default value is 6343. Don’t change this setting unless the sFlow Collector or network configuration requires you to change it. |
|
The source IPv4 address that the FortiGate uses to send sFlow Datagrams to the sFlow Collector This setting is optional. If you don't configure a source IP address, the FortiGate uses the source IP address of the port through which it sends the sFlow Datagram. |
Configure sFlow for an interface – CLI:
sFlow is supported on various FortiGate interfaces, including physical, VLAN, and aggregate interfaces. However, sFlow isn’t supported on some virtual interfaces, such as VDOM link, IPsec, GRE, and SSL interfaces.
When you configure sFlow on an interface, you can set the rate that the sFlow Agent samples traffic on the interface, the direction of that traffic, and the frequency that the sFlow Agent sends sFlow Datagrams to the sFlow Collector.
If sFlow is configured for a VDOM that the interface belongs to, the sFlow Agent sends sFlow Datagrams to the sFlow Collector that’s configured for the VDOM. Otherwise, the sFlow Datagrams are sent to the sFlow Collector that’s configured globally on the FortiGate.
Configuring sFlow for an interface disables all NP4 and NP6 offloading for all traffic on that interface.
config system interface
edit <interface_name>
set sflow-sampler enable
set sample-rate <rate>
set sample-direction {tx | rx | both}
set polling-interval <interval>
next
end
where you set the following variables:
CLI option |
Description |
---|---|
|
The average number of packets that the sFlow Agent lets pass before taking a sample. The range is 10 to 99999. The default is 2000. For example, if you set this to 1000, the sFlow Agent samples 1 out of every 1000 packets. If you set a lower rate, the sFlow Agent samples a higher number of packets, which increases the accuracy of the sampling data. However, this also increases the amount of CPU resources and network bandwidth that sFlow uses. In most cases, the default sample rate of 2000 provides enough accuracy. |
|
The direction of the traffic that the sFlow Agent samples:
|
|
The amount of time, in seconds, that the sFlow Agent waits between sending sFlow Datagrams to the sFlow Collector. The range is 1 to 255 seconds. The default is 20 seconds. If you set a higher polling interval, the sFlow Agent sends less data across your network, but the sFlow Collector’s view of your network won’t be as up-to-date as it would if you set a lower polling interval. |