Fortinet Support for sFlow On the last firmware release Fortinet adds support for sFlow. sFlow is supported on FortiOS 4.0MR2 and above. Here some tips extracted from Fortinet KB article discussing configuration of sFlow in a FortiGate device. In FortiOS 4.0 MR2, FortiOS samples the network on a per-interface basis. Datagram’s are forwarded to the sFlow collector. It should be noted that the FortiGate does not act as a sFlow collector. sFlow agents can be added to any FortiGate interface, including physical interfaces, VLAN interfaces, and aggregate interfaces. However, sFlow agent/client is not supported on some virtual interfaces such as VDOM link, IPSec, gre, and ssl.<vdom>. sFlow configuration is available only from the CLI. The sFlow configuration are applied either globally, per-vdom, or per- interface, as shown below. 1. Set sFlow collector/server IP on the FortiGate. config system sflow set collector-ip x.x.x.x set collector-port xxxx (default udp/6343) end To configure it per VDOM. config system vdom-sflow set vdom-sflow [disable*|enable] set collector-ip x.x.x.x set collector-port xxxx end 2. Configure sFlow agents per interface. config sys interface edit set sflow-sampler [disable*|enable] set sample-rate xxxx //sample ever xxxx packets set sample-direction [tx|rx|both*] set polling-interval xx //in secs

Fortinet Sflow support

Download DOCX Report

Upload
fabrizio-rosina
View
116
Download
3

Embed Size (px)

DESCRIPTION

On the last firmware release Fortinet adds support for sFlow.sFlow is supported on FortiOS 4.0MR2 and above.

Citation preview

Fortinet Support for sFlow

On the last firmware release Fortinet adds support for sFlow.sFlow is supported on FortiOS 4.0MR2 and above.Here some tips extracted from Fortinet KB article discussing configuration of sFlow in a FortiGate device.In FortiOS 4.0 MR2, FortiOS samples the network on a per-interface basis. Datagram’s are forwarded to the sFlow collector. It should be noted that the FortiGate does not act as a sFlow collector.sFlow agents can be added to any FortiGate interface, including physical interfaces, VLAN interfaces, and aggregate interfaces. However, sFlow agent/client is not supported on some virtual interfaces such as VDOM link, IPSec, gre, and ssl.<vdom>.sFlow configuration is available only from the CLI.The sFlow configuration are applied either globally, per-vdom, or per-interface, as shown below. 1. Set sFlow collector/server IP on the FortiGate.

config system sflowset collector-ip x.x.x.xset collector-port xxxx (default udp/6343)end

To configure it per VDOM.

config system vdom-sflowset vdom-sflow [disable*|enable]set collector-ip x.x.x.xset collector-port xxxxend

2. Configure sFlow agents per interface.

config sys interfaceedit set sflow-sampler [disable*|enable]set sample-rate xxxx //sample ever xxxx packetsset sample-direction [tx|rx|both*]set polling-interval xx //in secs nextend

It should be noted that:- When sFlow attributes are configured on an interface they are never skipped. - For individual sFlow sampler enabled interfaces, if a per-vdom sFlow is enabled (vdom-sflow) sampling traffic is sent to the per-vdom collector. In all other scenarios sampling traffic is sent to the management-vdom's collector (management-vdom always use global setting).

- Management-vdom can monitor all interfaces.

sFlow operates by sampling 1 in N packets as they arrive at the device's Ethernet interface. A small bit of the ethernet frame (usually around 68 bytes) is snipped off and placed into a UDP packet along with additional samples. Once the packet reaches 1500 bytes the sFlow exporter attaches a preamble (including sample rate, interface ifindex, etc) and sends the samples to the collector. One of the big advantages sFlow has over NetFlow is that it runs at layer-2. sFlow enabled devices don't need a layer-3 hop to create a flow as most NetFlow exporters do.

Anyway, if you have an sFlow collector and use Fortinet appliances this new feature provides excellent visibility into the traffic flows occurring through the Fortinet device.