Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Configuring sFlow

Using sFlow to monitor network traffic

FortiGate includes support for sFlow, a monitoring solution that uses packet sampling to monitor network traffic. You can use sFlow to identify issues in your organization’s network that might impact performance. Because the packet information that sFlow collects and sends is only a sampling of your network data, it has minimal impact on the performance of your network.

The sFlow solution consists of the following components:

  • sFlow Agent: Collects packet information, such as packet flow samples and interface counters
  • sFlow Datagrams: Contains the packet information
  • sFlow Collector: Analyzes the packet information and provides real-time reporting on your network traffic

The sFlow Agent is embedded in the FortiGate. After you configure sFlow on a FortiGate, the sFlow Agent captures packet information, combines the information into sFlow Datagrams, and sends them to the sFlow Collector. The sFlow Collector analyzes the sFlow Datagrams and presents the information so that you can see the source of potential traffic issues. The FortiGate doesn’t act as an sFlow Collector. sFlow Collector software is available from third-party software vendors.

The sFlow Agent performs packet sampling on packets that arrive on a FortiGate interface to determine which ones to copy and send to the sFlow Collector. The packet information sFlow collects depends on the type of FortiGate interface. If you enable sFlow on an internal interface, when the interface receives packets from devices with private IP addresses, the packet information that sFlow collects includes the private IP addresses. If you enable sFlow on an external (WAN) interface, when the interface receives packets to route to or from the Internet, the packet information that sFlow collects includes the IP address of the WAN interface as the source or destination interface, depending on the direction of the traffic. It doesn’t include IP addresses that are NAT’d (Network Address Translation) on another interface.

sFlow Datagrams contain the following information:

  • Packet headers, such as MAC, IPv4, and TCP
  • Sample process parameters, such as rate and pool
  • Input and output ports
  • Priority (802.1p and ToS)
  • VLAN (802.1Q)
  • Source prefixes, destination prefixes, and next hop addresses
  • BGP source AS, source peer AS, destination peer AS, communities, and local preference
  • User IDs (TACACS, RADIUS) for source and destination
  • Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

FortiOS implements sFlow version 5. For more information about sFlow, sFlow Collector software, and sFlow MIBs, visit www.sflow.org.

Configuring sFlow on a FortiGate

You can configure sFlow globally, for VDOMs, or for interfaces on a FortiGate. When you configure sFlow for an interface, you can configure the rate that the sFlow Agent samples traffic and the direction of that traffic. You can also set the frequency that the sFlow Agent sends sFlow Datagrams to the sFlow Collector.

You configure sFlow in the FortiGate CLI, by performing the following tasks:

  1. Configure destination information for sFlow Datagrams. This also configures sFlow globally on the FortiGate.
  2. Optionally, configure sFlow for one of the following:
    • A virtual domain (VDOM)
    • An interface

Prerequisites

  • Install and configure an sFlow Collector
Configure destination information for sFlow Datagrams – CLI:

config system sflow

set collector-ip <ipv4_address>

set collector-port <port_number>

set source-ip <ipv4_address>

end

where you set the following variables:

CLI option

Description

collector-ip

The IPv4 address of the sFlow Collector

collector-port

The UDP port number that the sFlow Agent on the FortiGate uses to send sFlow Datagrams to the sFlow Collector. The default value is 6343.

Don’t change this setting unless the sFlow Collector or network configuration requires you to change it.

source-ip

The source IPv4 address that the FortiGate uses to send sFlow Datagrams to the sFlow Collector

This setting is optional. If you don't configure a source IP address, the FortiGate uses the source IP address of the port through which it sends the sFlow Datagram.

Configure sFlow for a VDOM – CLI:

When you configure sFlow for a VDOM, you specify the sFlow Collector that the VDOM will use. To have the VDOM use the sFlow Collector that's configured globally on the FortiGate, don't enter values for the collector-ip and collector-port options. To have the VDOM use a different sFlow collector, enter values for these options.

config system vdom-sflow

set vdom-sflow enable

set collector-ip <ipv4_address>

set collector-port <port_number>

set source-ip <ipv4_address>

end

where you set the following variables:

CLI option

Description

collector-ip

The IPv4 address of the sFlow Collector

collector-port

The UDP port number that the sFlow Agent on the FortiGate uses to send sFlow Datagrams to the sFlow Collector. The default value is 6343.

Don’t change this setting unless the sFlow Collector or network configuration requires you to change it.

source-ip

The source IPv4 address that the FortiGate uses to send sFlow Datagrams to the sFlow Collector

This setting is optional. If you don't configure a source IP address, the FortiGate uses the source IP address of the port through which it sends the sFlow Datagram.

Configure sFlow for an interface – CLI:

sFlow is supported on various FortiGate interfaces, including physical, VLAN, and aggregate interfaces. However, sFlow isn’t supported on some virtual interfaces, such as VDOM link, IPsec, GRE, and SSL interfaces.

When you configure sFlow on an interface, you can set the rate that the sFlow Agent samples traffic on the interface, the direction of that traffic, and the frequency that the sFlow Agent sends sFlow Datagrams to the sFlow Collector.

If sFlow is configured for a VDOM that the interface belongs to, the sFlow Agent sends sFlow Datagrams to the sFlow Collector that’s configured for the VDOM. Otherwise, the sFlow Datagrams are sent to the sFlow Collector that’s configured globally on the FortiGate.

Configuring sFlow for an interface disables all NP4 and NP6 offloading for all traffic on that interface.

config system interface

edit <interface_name>

set sflow-sampler enable

set sample-rate <rate>

set sample-direction {tx | rx | both}

set polling-interval <interval>

next

end

where you set the following variables:

CLI option

Description

sample-rate

The average number of packets that the sFlow Agent lets pass before taking a sample. The range is 10 to 99999. The default is 2000.

For example, if you set this to 1000, the sFlow Agent samples 1 out of every 1000 packets.

If you set a lower rate, the sFlow Agent samples a higher number of packets, which increases the accuracy of the sampling data. However, this also increases the amount of CPU resources and network bandwidth that sFlow uses.

In most cases, the default sample rate of 2000 provides enough accuracy.

sample-direction

The direction of the traffic that the sFlow Agent samples:

  • tx: Samples the traffic that the interface sends
  • rx: Samples the traffic that the interface receives
  • both: Samples the traffic that the interface sends and receives

polling-interval

The amount of time, in seconds, that the sFlow Agent waits between sending sFlow Datagrams to the sFlow Collector. The range is 1 to 255 seconds. The default is 20 seconds.

If you set a higher polling interval, the sFlow Agent sends less data across your network, but the sFlow Collector’s view of your network won’t be as up-to-date as it would if you set a lower polling interval.

Configuring sFlow

Using sFlow to monitor network traffic

FortiGate includes support for sFlow, a monitoring solution that uses packet sampling to monitor network traffic. You can use sFlow to identify issues in your organization’s network that might impact performance. Because the packet information that sFlow collects and sends is only a sampling of your network data, it has minimal impact on the performance of your network.

The sFlow solution consists of the following components:

  • sFlow Agent: Collects packet information, such as packet flow samples and interface counters
  • sFlow Datagrams: Contains the packet information
  • sFlow Collector: Analyzes the packet information and provides real-time reporting on your network traffic

The sFlow Agent is embedded in the FortiGate. After you configure sFlow on a FortiGate, the sFlow Agent captures packet information, combines the information into sFlow Datagrams, and sends them to the sFlow Collector. The sFlow Collector analyzes the sFlow Datagrams and presents the information so that you can see the source of potential traffic issues. The FortiGate doesn’t act as an sFlow Collector. sFlow Collector software is available from third-party software vendors.

The sFlow Agent performs packet sampling on packets that arrive on a FortiGate interface to determine which ones to copy and send to the sFlow Collector. The packet information sFlow collects depends on the type of FortiGate interface. If you enable sFlow on an internal interface, when the interface receives packets from devices with private IP addresses, the packet information that sFlow collects includes the private IP addresses. If you enable sFlow on an external (WAN) interface, when the interface receives packets to route to or from the Internet, the packet information that sFlow collects includes the IP address of the WAN interface as the source or destination interface, depending on the direction of the traffic. It doesn’t include IP addresses that are NAT’d (Network Address Translation) on another interface.

sFlow Datagrams contain the following information:

  • Packet headers, such as MAC, IPv4, and TCP
  • Sample process parameters, such as rate and pool
  • Input and output ports
  • Priority (802.1p and ToS)
  • VLAN (802.1Q)
  • Source prefixes, destination prefixes, and next hop addresses
  • BGP source AS, source peer AS, destination peer AS, communities, and local preference
  • User IDs (TACACS, RADIUS) for source and destination
  • Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

FortiOS implements sFlow version 5. For more information about sFlow, sFlow Collector software, and sFlow MIBs, visit www.sflow.org.

Configuring sFlow on a FortiGate

You can configure sFlow globally, for VDOMs, or for interfaces on a FortiGate. When you configure sFlow for an interface, you can configure the rate that the sFlow Agent samples traffic and the direction of that traffic. You can also set the frequency that the sFlow Agent sends sFlow Datagrams to the sFlow Collector.

You configure sFlow in the FortiGate CLI, by performing the following tasks:

  1. Configure destination information for sFlow Datagrams. This also configures sFlow globally on the FortiGate.
  2. Optionally, configure sFlow for one of the following:
    • A virtual domain (VDOM)
    • An interface

Prerequisites

  • Install and configure an sFlow Collector
Configure destination information for sFlow Datagrams – CLI:

config system sflow

set collector-ip <ipv4_address>

set collector-port <port_number>

set source-ip <ipv4_address>

end

where you set the following variables:

CLI option

Description

collector-ip

The IPv4 address of the sFlow Collector

collector-port

The UDP port number that the sFlow Agent on the FortiGate uses to send sFlow Datagrams to the sFlow Collector. The default value is 6343.

Don’t change this setting unless the sFlow Collector or network configuration requires you to change it.

source-ip

The source IPv4 address that the FortiGate uses to send sFlow Datagrams to the sFlow Collector

This setting is optional. If you don't configure a source IP address, the FortiGate uses the source IP address of the port through which it sends the sFlow Datagram.

Configure sFlow for a VDOM – CLI:

When you configure sFlow for a VDOM, you specify the sFlow Collector that the VDOM will use. To have the VDOM use the sFlow Collector that's configured globally on the FortiGate, don't enter values for the collector-ip and collector-port options. To have the VDOM use a different sFlow collector, enter values for these options.

config system vdom-sflow

set vdom-sflow enable

set collector-ip <ipv4_address>

set collector-port <port_number>

set source-ip <ipv4_address>

end

where you set the following variables:

CLI option

Description

collector-ip

The IPv4 address of the sFlow Collector

collector-port

The UDP port number that the sFlow Agent on the FortiGate uses to send sFlow Datagrams to the sFlow Collector. The default value is 6343.

Don’t change this setting unless the sFlow Collector or network configuration requires you to change it.

source-ip

The source IPv4 address that the FortiGate uses to send sFlow Datagrams to the sFlow Collector

This setting is optional. If you don't configure a source IP address, the FortiGate uses the source IP address of the port through which it sends the sFlow Datagram.

Configure sFlow for an interface – CLI:

sFlow is supported on various FortiGate interfaces, including physical, VLAN, and aggregate interfaces. However, sFlow isn’t supported on some virtual interfaces, such as VDOM link, IPsec, GRE, and SSL interfaces.

When you configure sFlow on an interface, you can set the rate that the sFlow Agent samples traffic on the interface, the direction of that traffic, and the frequency that the sFlow Agent sends sFlow Datagrams to the sFlow Collector.

If sFlow is configured for a VDOM that the interface belongs to, the sFlow Agent sends sFlow Datagrams to the sFlow Collector that’s configured for the VDOM. Otherwise, the sFlow Datagrams are sent to the sFlow Collector that’s configured globally on the FortiGate.

Configuring sFlow for an interface disables all NP4 and NP6 offloading for all traffic on that interface.

config system interface

edit <interface_name>

set sflow-sampler enable

set sample-rate <rate>

set sample-direction {tx | rx | both}

set polling-interval <interval>

next

end

where you set the following variables:

CLI option

Description

sample-rate

The average number of packets that the sFlow Agent lets pass before taking a sample. The range is 10 to 99999. The default is 2000.

For example, if you set this to 1000, the sFlow Agent samples 1 out of every 1000 packets.

If you set a lower rate, the sFlow Agent samples a higher number of packets, which increases the accuracy of the sampling data. However, this also increases the amount of CPU resources and network bandwidth that sFlow uses.

In most cases, the default sample rate of 2000 provides enough accuracy.

sample-direction

The direction of the traffic that the sFlow Agent samples:

  • tx: Samples the traffic that the interface sends
  • rx: Samples the traffic that the interface receives
  • both: Samples the traffic that the interface sends and receives

polling-interval

The amount of time, in seconds, that the sFlow Agent waits between sending sFlow Datagrams to the sFlow Collector. The range is 1 to 255 seconds. The default is 20 seconds.

If you set a higher polling interval, the sFlow Agent sends less data across your network, but the sFlow Collector’s view of your network won’t be as up-to-date as it would if you set a lower polling interval.