FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help


sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact performance and throughput. FortiOS implements sFlow version 5.

sFlow uses packet sampling to monitor network traffic. The sFlow Agent captures packet information at defined intervals and sends them to an sFlow Collector for analysis, providing real-time data analysis. The information sent is only a sampling of the data for minimal impact on network throughput and performance.

The sFlow Agent is embedded in the FortiGate unit. Once configured, the FortiGate unit sends sFlow datagrams of the sampled traffic to the sFlow Collector, also called an sFlow Analyzer. The sFlow Collector receives the datagrams, and provides real-time analysis and graphing to indicate where potential traffic issues are occurring. sFlow Collector software is available from a number of third party software vendors.

sFlow data captures only a sampling of network traffic, not all traffic like the traffic logs on the FortiGate unit. Sampling works by the sFlow Agent looking at traffic packets when they arrive on an interface. A decision is made whether the packet is dropped and allowed to be to its destination or if a copy is forwarded to the sFlow Collector. The sample used and its frequency are determined during configuration.

sFlow is not supported on virtual interfaces such as vdom link, ipsec, ssl.root or gre.

The sFlow datagram sent to the Collector contains the information:

  • Packet header (e.g. MAC,IPv4,IPv6,IPX,AppleTalk,TCP,UDP, ICMP)
  • Sample process parameters (rate, pool etc.)
  • Input/output ports
  • Priority (802.1p and TOS)
  • VLAN (802.1Q)
  • Source/destination prefix
  • Next hop address
  • Source AS, Source Peer AS
  • Destination AS Path
  • Communities, local preference
  • User IDs (TACACS/RADIUS) for source/destination
  • URL associated with source/destination
  • Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

sFlow agents can be added to any type of FortiGate interface. sFlow isn't supported on some virtual interfaces such as VDOM link, IPsec, gre, and ssl.root.

For more information on sFlow, Collector software and sFlow MIBs, visit


sFlow configuration is available only from the CLI. Configuration requires two steps: enabling the sFlow Agent and configuring the interface for the sampling information.

Enable sFlow

config system sflow

set collector-ip <ip_address>

set collector-port <port_number>

set source-ip <ip_address>



The default port for sFlow is UDP 6343. To configure in VDOM, use the commands:

config system vdom-sflow

set vdom-sflow enable

set collector-ip <ip_address>

set collector-port <port_number>

set source-ip <ip_address>



Configure sFlow agents per interface.

config system interface

edit <interface_name>

set sflow-sampler enable

set sample-rate <every_n_packets>

set sample-direction [tx | rx | both]

set polling-interval <seconds>