We covered Fortinet's regular NetFlow and Syslog configuration in a different blog post some time ago. For some Fortigates, there isn't a NetFlow option. Instead, there are only Sflow configuration options on the machines.
In the beginning, we need to configure the global options on the device:
config system sflow
set collector-ip 172.17.12.22
set collector-port 6343
set source-ip 0.0.0.0
set interface-select-method auto
All the configuration options should soon be visible. As we observe NetVizura NetFlow Analyzer in this case, collector-ip is the IP address, and the port is usually (by default) 6343. Source-ip is the selected IP of the Fortinet device inside the NetFlow Analyzer. The interface-select-method sets the outgoing interface by auto, sdwan, or manually specified.
Afterward, we need to configure the interfaces. They can be physical, VLAN, or trunk interfaces. The configuration is straightforward:
config system interface
edit port1
set sflow-sampler enable
set sample-rate 2000
set polling-interval 60
set sample-direction both
Now, in the end, let's dive into options regarding global configuration. Sflow-sampler enables sFlow on the selected port (in our example, port1). Sample-rate is 1-in-packet, which sFlow sends from the device, and by default, it is 2000. For greater precision, lower this value to a smaller number (10 is the minimum). However, keep in mind this can result in higher CPU usage from your device. Polling-interval is time in seconds for the device polling, and sample-direction is an option to get information from RX, TX, or both sides of the traffic.
And voila, the sFlow traffic should be available on your NetVizura NetFlow Analyzer.
