Fortinet white logo
Fortinet white logo

Administration Guide

sFlow

sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact performance and throughput. FortiGate supports sFlow v5. sFlow collector software is available from a number of third-party software vendors. For more information about sFlow, see www.sflow.org.

The packet information that the FortiGate's sFlow agent collects depends on the interface type:

  • On an internal interface, when the interface receives packets from devices with private IP addresses, the collected information includes the private IP addresses.

  • On an external, or WAN, interface, when the interface receives to route to or from the internet, the collected information includes the IP address of the WAN interface as the source or destination interface, depending on the direction of the traffic. It does not include IP addresses that are NATed on another interface.

sFlow datagrams contain the following information:

  • Packet headers, such as MAC, IPv4, and TCP
  • Sample process parameters, such as rate and pool
  • Input and output ports
  • Priority (802.1p and ToS)
  • VLAN (802.1Q)
  • Source prefixes, destination prefixes, and next hop addresses
  • BGP source AS, source peer AS, destination peer AS, communities, and local preference
  • User IDs (TACACS, RADIUS) for source and destination
  • Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

Configuring sFlow

sFlow can be configured globally, then on traffic VDOMs and individual interfaces. When configuring sFlow on a VDOM, the collector can be specified, or the collector that is configured globally can be used.

FortiOS can be configured with a maximum of three sFlow collectors. This also applies to multi-VDOM environments where a maximum of three sFlow collectors can be used globally and/or on a per-VDOMs basis. This enables up to a maximum of three unique parallel sFlow streams or transmissions per sFlow sample to three different sFlow collectors.

sFlow is supported on some interface types, such as physical, VLAN, and aggregate. It is not supported on virtual interfaces, such as VDOM link, IPsec, GRE, or SSL. When configuring sFlow on an interface, the rate that the agent samples traffic, the direction of that traffic, and the frequency that the agent sends sFlow datagrams to the sFlow collector can be specified. If sFlow is configured on the VDOM that the interface belongs to, the agent sends datagrams to the collector configured for the VDOM. Otherwise, the datagrams are sent to the collector that is configured globally.

Configuring sFlow for an interface disables NP offloading for all traffic on that interface.

To configure sFlow globally:
config system sflow
    config collectors
        edit <id>
            set collector-ip <ipv4_address>
            set collector-port <port>
            set source-ip <ipv4_address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end

collector-ip <ipv4_address>

Enter the IPv4 address of the sFlow collector that sFlow agents added to interfaces in this VDOM send sFlow datagrams to (default = 0.0.0.0).

collector-port <port>

Enter the UDP port number used for sending sFlow datagrams; only configure if required by the sFlow collector or network configuration (0 - 65535, default = 6343).

source-ip <ipv4_address>

Enter the source IP address for the sFlow agent.

interface-select-method {auto | sdwan | specify}

Specify how to select the outgoing interface to reach the server (default = auto).

interface <interface>

Enter the outgoing interface to reach the server.

To configure sFlow for a VDOM:
config vdom
    edit <vdom>
        config system vdom-sflow
            set vdom-sflow {enable | disable}
            set collector-ip <ipv4_address>
            set collector-port <port>
            set source-ip <ipv4_address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        end
    next
end

vdom-sflow {enable | disable}

Enable/disable the sFlow configuration for the current VDOM (default = disable).

collector-ip <ipv4_address>

Enter the IPv4 address of the sFlow collector that sFlow agents added to interface (default = 0.0.0.0).

If this option is not configured, the global setting will be used.

collector-port <port>

Enter the UDP port number used for sending sFlow datagrams (0 - 65535, default = 6343).

Only configured this option if required by the sFlow collector or your network configuration.

If this option is not configured, the global setting will be used.

source-ip <ipv4_address>

Enter the source IPv4 address that the sFlow agent used to send datagrams to the collector (default = 0.0.0.0).

If this option is not configured, the FortiGate uses the IP address of the interface that it sends the datagram through.

interface-select-method {auto | sdwan | specify}

Specify how the outgoing interface to reach the server is selected (default = auto).

interface <interface>

Enter the outgoing interface used to reach the server.

This option is only available when interface-select-method is specify.

To configure sFlow on an interface:
config system interface
    edit <interface>
        set sflow-sampler {enable | disable}
        set sample-rate <integer>
        set polling-interval <integer>
        set sample-direction {tx | rx | both}
    next
end

sflow-sampler {enable | disable}

Enable/disable sFlow on this interface (default = disable).

sample-rate <integer>

Enter the average number of packets that the agent lets pass before taking a sample (10 - 99999, default = 2000).

Setting a lower rate will sample a higher number of packets, increasing the accuracy or the sampling data, but also increasing the CPU and network bandwidth usage. The default value is recommended.

polling-interval <integer>

Enter the amount of time that the agent waits between sending datagrams to the collector, in seconds (1 - 255, default = 20).

Setting a higher value lowers the amount of data that the agent sends across the network, but makes the collector's view of the network less current.

sample-direction {tx | rx | both}

Select the direction of the traffic that the agent collects (default = both).

Example 1: multiple sFlow collectors in a non-VDOM environment

In this example, three sFlow collectors are configured in a non-VDOM environment with sFlow sampling on the wan1 interface.

To configure multiple sFlow collectors:
  1. Configure the sFlow collectors:

    config system sflow
        config collectors
            edit 1
                set collector-ip 10.1.1.1
                set collector-port 6344
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 2
                set collector-ip 10.1.1.2
                set collector-port 6345
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 3
                set collector-ip 10.1.1.3
                set collector-port 6346
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
        end
    end
  2. Configure sFlow sampling on wan1:

    config system interface
        edit wan1
            set sflow-sampler enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
        next
    end
  3. Verify the sFlow diagnostics.

    1. Verify the sFlow configuration status:

      # diagnose test application sflowd 1
      
      global collector:10.1.1.1:[6344]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.2:[6345]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.3:[6346]
       global source ip: 0.0.0.0:[1399]
      vdom: root, index=0, vdom sflow collector is disabled(use global sflow config), primary (management vdom) 
        intf:wan1 sample_rate:2000 polling_interval:20 sample_direction:both
    2. Verify the sampled sFlow traffic packet capture:

      # diagnose sniffer packet any 'port 1399' 4 0 l
      interfaces=[any]
      filters=[port 6344 or port 6345 or port 6346]
      2023-11-14 15:44:41.658799 wan1 out 172.16.151.157.1399 -> 10.1.1.1.6344: udp 144
      2023-11-14 15:44:41.658829 wan1 out 172.16.151.157.1399 -> 10.1.1.2.6345: udp 144
      2023-11-14 15:44:41.658848 wan1 out 172.16.151.157.1399 -> 10.1.1.3.6346: udp 144
    Note

    The outgoing interface that is used to send the sampled sFlow traffic to the sFlow collector is decided by the routing table lookup.

Example 2: multiple sFlow collectors in a multi-VDOM environment

In this example, three sFlow collectors are configured in a multi-VDOM environment globally and per VDOM. sFlow sampling is on the wan1 and dmz interfaces.

To configure multiple sFlow collectors:
  1. Configure the global sFlow collectors:

    config system sflow
        config collectors
            edit 1
                set collector-ip 10.1.1.1
                set collector-port 6344
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 2
                set collector-ip 10.1.1.2
                set collector-port 6345
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 3
                set collector-ip 10.1.1.3
                set collector-port 6346
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
        end
    end
  2. Configure the per-VDOM sFlow collectors:

    config vdom
        edit testvdom
            config system vdom-sflow 
                set vdom-sflow enable 
                config collectors
                    edit 1
                        set collector-ip 10.1.1.4
                        set collector-port 6347
                        set source-ip 0.0.0.0
                        set interface-select-method auto
                    next
                    edit 2
                        set collector-ip 10.1.1.5
                        set collector-port 6348
                        set source-ip 0.0.0.0
                        set interface-select-method auto
                    next
                    edit 3
                        set collector-ip 10.1.1.6
                        set collector-port 6349
                        set source-ip 0.0.0.0
                        set interface-select-method auto
                    next
                end
            end
        next
    end
  3. Configure sFlow sampling on wan1 and dmz:

    config system interface
        edit wan1
            set vdom "root"
            set sflow-sampler enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
        next
        edit dmz
            set vdom "testvdom"
            set sflow-sampler enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
        next
    end
  4. Verify the sFlow diagnostics.

    1. Verify the sFlow configuration status:

      # diagnose test application sflowd  1
      
      global collector:10.1.1.1:[6344]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.2:[6345]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.3:[6346]
       global source ip: 0.0.0.0:[1399]
      vdom: root, index=0, vdom sflow collector is disabled(use global sflow config), primary (management vdom) 
        intf:wan1 sample_rate:2000 polling_interval:20 sample_direction:both
      vdom: testvdom, index=1, vdom sflow collector is enabled, primary  
        collector:10.1.1.4:[6347] src:192.168.1.1:[1399]
        collector:10.1.1.5:[6348] src:192.168.1.1:[1399]
        collector:10.1.1.6:[6349] src:192.168.1.1:[1399]
        intf:dmz sample_rate:2000 polling_interval:20 sample_direction:both
    2. Verify the sampled sFlow traffic packet capture:

      # sudo root diagnose sniffer packet any 'port 1399' 4 0 l
      interfaces=[any]
      filters=[port 1399]
      2023-11-14 16:50:11.118807 wan1 out 172.16.151.157.1399 -> 10.1.1.1.6344: udp 144
      2023-11-14 16:50:11.118838 wan1 out 172.16.151.157.1399 -> 10.1.1.2.6345: udp 144
      2023-11-14 16:50:11.118865 wan1 out 172.16.151.157.1399 -> 10.1.1.3.6346: udp 144
      2023-11-14 16:50:20.198784 dmz out 192.168.1.1.1399 -> 10.1.1.4.6347: udp 144
      2023-11-14 16:50:20.198813 dmz out 192.168.1.1.1399 -> 10.1.1.5.6348: udp 144
      2023-11-14 16:50:20.198832 dmz out 192.168.1.1.1399 -> 10.1.1.6.6349: udp 144
    Note

    The outgoing interface that is used to send the sampled sFlow traffic to the sFlow collector is decided by the routing table lookup.

sFlow

sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact performance and throughput. FortiGate supports sFlow v5. sFlow collector software is available from a number of third-party software vendors. For more information about sFlow, see www.sflow.org.

The packet information that the FortiGate's sFlow agent collects depends on the interface type:

  • On an internal interface, when the interface receives packets from devices with private IP addresses, the collected information includes the private IP addresses.

  • On an external, or WAN, interface, when the interface receives to route to or from the internet, the collected information includes the IP address of the WAN interface as the source or destination interface, depending on the direction of the traffic. It does not include IP addresses that are NATed on another interface.

sFlow datagrams contain the following information:

  • Packet headers, such as MAC, IPv4, and TCP
  • Sample process parameters, such as rate and pool
  • Input and output ports
  • Priority (802.1p and ToS)
  • VLAN (802.1Q)
  • Source prefixes, destination prefixes, and next hop addresses
  • BGP source AS, source peer AS, destination peer AS, communities, and local preference
  • User IDs (TACACS, RADIUS) for source and destination
  • Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

Configuring sFlow

sFlow can be configured globally, then on traffic VDOMs and individual interfaces. When configuring sFlow on a VDOM, the collector can be specified, or the collector that is configured globally can be used.

FortiOS can be configured with a maximum of three sFlow collectors. This also applies to multi-VDOM environments where a maximum of three sFlow collectors can be used globally and/or on a per-VDOMs basis. This enables up to a maximum of three unique parallel sFlow streams or transmissions per sFlow sample to three different sFlow collectors.

sFlow is supported on some interface types, such as physical, VLAN, and aggregate. It is not supported on virtual interfaces, such as VDOM link, IPsec, GRE, or SSL. When configuring sFlow on an interface, the rate that the agent samples traffic, the direction of that traffic, and the frequency that the agent sends sFlow datagrams to the sFlow collector can be specified. If sFlow is configured on the VDOM that the interface belongs to, the agent sends datagrams to the collector configured for the VDOM. Otherwise, the datagrams are sent to the collector that is configured globally.

Configuring sFlow for an interface disables NP offloading for all traffic on that interface.

To configure sFlow globally:
config system sflow
    config collectors
        edit <id>
            set collector-ip <ipv4_address>
            set collector-port <port>
            set source-ip <ipv4_address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end

collector-ip <ipv4_address>

Enter the IPv4 address of the sFlow collector that sFlow agents added to interfaces in this VDOM send sFlow datagrams to (default = 0.0.0.0).

collector-port <port>

Enter the UDP port number used for sending sFlow datagrams; only configure if required by the sFlow collector or network configuration (0 - 65535, default = 6343).

source-ip <ipv4_address>

Enter the source IP address for the sFlow agent.

interface-select-method {auto | sdwan | specify}

Specify how to select the outgoing interface to reach the server (default = auto).

interface <interface>

Enter the outgoing interface to reach the server.

To configure sFlow for a VDOM:
config vdom
    edit <vdom>
        config system vdom-sflow
            set vdom-sflow {enable | disable}
            set collector-ip <ipv4_address>
            set collector-port <port>
            set source-ip <ipv4_address>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        end
    next
end

vdom-sflow {enable | disable}

Enable/disable the sFlow configuration for the current VDOM (default = disable).

collector-ip <ipv4_address>

Enter the IPv4 address of the sFlow collector that sFlow agents added to interface (default = 0.0.0.0).

If this option is not configured, the global setting will be used.

collector-port <port>

Enter the UDP port number used for sending sFlow datagrams (0 - 65535, default = 6343).

Only configured this option if required by the sFlow collector or your network configuration.

If this option is not configured, the global setting will be used.

source-ip <ipv4_address>

Enter the source IPv4 address that the sFlow agent used to send datagrams to the collector (default = 0.0.0.0).

If this option is not configured, the FortiGate uses the IP address of the interface that it sends the datagram through.

interface-select-method {auto | sdwan | specify}

Specify how the outgoing interface to reach the server is selected (default = auto).

interface <interface>

Enter the outgoing interface used to reach the server.

This option is only available when interface-select-method is specify.

To configure sFlow on an interface:
config system interface
    edit <interface>
        set sflow-sampler {enable | disable}
        set sample-rate <integer>
        set polling-interval <integer>
        set sample-direction {tx | rx | both}
    next
end

sflow-sampler {enable | disable}

Enable/disable sFlow on this interface (default = disable).

sample-rate <integer>

Enter the average number of packets that the agent lets pass before taking a sample (10 - 99999, default = 2000).

Setting a lower rate will sample a higher number of packets, increasing the accuracy or the sampling data, but also increasing the CPU and network bandwidth usage. The default value is recommended.

polling-interval <integer>

Enter the amount of time that the agent waits between sending datagrams to the collector, in seconds (1 - 255, default = 20).

Setting a higher value lowers the amount of data that the agent sends across the network, but makes the collector's view of the network less current.

sample-direction {tx | rx | both}

Select the direction of the traffic that the agent collects (default = both).

Example 1: multiple sFlow collectors in a non-VDOM environment

In this example, three sFlow collectors are configured in a non-VDOM environment with sFlow sampling on the wan1 interface.

To configure multiple sFlow collectors:
  1. Configure the sFlow collectors:

    config system sflow
        config collectors
            edit 1
                set collector-ip 10.1.1.1
                set collector-port 6344
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 2
                set collector-ip 10.1.1.2
                set collector-port 6345
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 3
                set collector-ip 10.1.1.3
                set collector-port 6346
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
        end
    end
  2. Configure sFlow sampling on wan1:

    config system interface
        edit wan1
            set sflow-sampler enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
        next
    end
  3. Verify the sFlow diagnostics.

    1. Verify the sFlow configuration status:

      # diagnose test application sflowd 1
      
      global collector:10.1.1.1:[6344]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.2:[6345]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.3:[6346]
       global source ip: 0.0.0.0:[1399]
      vdom: root, index=0, vdom sflow collector is disabled(use global sflow config), primary (management vdom) 
        intf:wan1 sample_rate:2000 polling_interval:20 sample_direction:both
    2. Verify the sampled sFlow traffic packet capture:

      # diagnose sniffer packet any 'port 1399' 4 0 l
      interfaces=[any]
      filters=[port 6344 or port 6345 or port 6346]
      2023-11-14 15:44:41.658799 wan1 out 172.16.151.157.1399 -> 10.1.1.1.6344: udp 144
      2023-11-14 15:44:41.658829 wan1 out 172.16.151.157.1399 -> 10.1.1.2.6345: udp 144
      2023-11-14 15:44:41.658848 wan1 out 172.16.151.157.1399 -> 10.1.1.3.6346: udp 144
    Note

    The outgoing interface that is used to send the sampled sFlow traffic to the sFlow collector is decided by the routing table lookup.

Example 2: multiple sFlow collectors in a multi-VDOM environment

In this example, three sFlow collectors are configured in a multi-VDOM environment globally and per VDOM. sFlow sampling is on the wan1 and dmz interfaces.

To configure multiple sFlow collectors:
  1. Configure the global sFlow collectors:

    config system sflow
        config collectors
            edit 1
                set collector-ip 10.1.1.1
                set collector-port 6344
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 2
                set collector-ip 10.1.1.2
                set collector-port 6345
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
            edit 3
                set collector-ip 10.1.1.3
                set collector-port 6346
                set source-ip 0.0.0.0
                set interface-select-method auto
            next
        end
    end
  2. Configure the per-VDOM sFlow collectors:

    config vdom
        edit testvdom
            config system vdom-sflow 
                set vdom-sflow enable 
                config collectors
                    edit 1
                        set collector-ip 10.1.1.4
                        set collector-port 6347
                        set source-ip 0.0.0.0
                        set interface-select-method auto
                    next
                    edit 2
                        set collector-ip 10.1.1.5
                        set collector-port 6348
                        set source-ip 0.0.0.0
                        set interface-select-method auto
                    next
                    edit 3
                        set collector-ip 10.1.1.6
                        set collector-port 6349
                        set source-ip 0.0.0.0
                        set interface-select-method auto
                    next
                end
            end
        next
    end
  3. Configure sFlow sampling on wan1 and dmz:

    config system interface
        edit wan1
            set vdom "root"
            set sflow-sampler enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
        next
        edit dmz
            set vdom "testvdom"
            set sflow-sampler enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
        next
    end
  4. Verify the sFlow diagnostics.

    1. Verify the sFlow configuration status:

      # diagnose test application sflowd  1
      
      global collector:10.1.1.1:[6344]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.2:[6345]
       global source ip: 0.0.0.0:[1399]
      
      global collector:10.1.1.3:[6346]
       global source ip: 0.0.0.0:[1399]
      vdom: root, index=0, vdom sflow collector is disabled(use global sflow config), primary (management vdom) 
        intf:wan1 sample_rate:2000 polling_interval:20 sample_direction:both
      vdom: testvdom, index=1, vdom sflow collector is enabled, primary  
        collector:10.1.1.4:[6347] src:192.168.1.1:[1399]
        collector:10.1.1.5:[6348] src:192.168.1.1:[1399]
        collector:10.1.1.6:[6349] src:192.168.1.1:[1399]
        intf:dmz sample_rate:2000 polling_interval:20 sample_direction:both
    2. Verify the sampled sFlow traffic packet capture:

      # sudo root diagnose sniffer packet any 'port 1399' 4 0 l
      interfaces=[any]
      filters=[port 1399]
      2023-11-14 16:50:11.118807 wan1 out 172.16.151.157.1399 -> 10.1.1.1.6344: udp 144
      2023-11-14 16:50:11.118838 wan1 out 172.16.151.157.1399 -> 10.1.1.2.6345: udp 144
      2023-11-14 16:50:11.118865 wan1 out 172.16.151.157.1399 -> 10.1.1.3.6346: udp 144
      2023-11-14 16:50:20.198784 dmz out 192.168.1.1.1399 -> 10.1.1.4.6347: udp 144
      2023-11-14 16:50:20.198813 dmz out 192.168.1.1.1399 -> 10.1.1.5.6348: udp 144
      2023-11-14 16:50:20.198832 dmz out 192.168.1.1.1399 -> 10.1.1.6.6349: udp 144
    Note

    The outgoing interface that is used to send the sampled sFlow traffic to the sFlow collector is decided by the routing table lookup.