Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-system-sflow

sflow

You can use sFlow monitoring in Sophos Firewall to analyze network traffic using sampled packet data. This data provides valuable insights for network troubleshooting, capacity planning, and security monitoring.

You must specify a host you want to configure as an sFlow collector and the hardware interface of the firewall you want to monitor. sFlow monitors all sub-interfaces, such as aliases and VLANs, associated with the specified interface. When you turn sFlow on, the sFlow agent in the firewall samples packets, collects statistics at regular intervals, and forwards this data to the sFlow collector. On the sFlow collector, you can use a network analyzer tool such as sFlowTrend to see the data.

sFlow behavior

The following points describe the sFlow behavior when you turn it on in the firewall:

  • sFlow uses one of the firewall's hardware interface IP addresses as the sFlow agent's IP address.
  • When sFlow is turned on, Fast Path is turned off on the interface you're monitoring.
  • In an HA cluster, the sFlow agent always runs on the primary device.

Warning

The sFlow traffic going from the agent to the collector isn't encrypted. Make sure it passes through secured networks.

sFlow configuration

To use sFlow in the firewall, do as follows:

  1. Use the collector option to configure an sFlow collector.
  2. Use the monitor option to specify the interface and sampling rate.
  3. (Optional) Use the polling-interval option to turn device polling on.
  4. Use the [on|off] option to turn sFlow on.

Command

system sflow

system sflow show

Syntax

system sflow
collector [add|delete] ip-address <IP-address> [port <1–65535>] 
monitor [add|delete] interface-name <name> [sampling-rate <10–10,000,000>]
polling-interval <30-300>
[on|off]

Options

collector [add|delete] ip-address <IP-address> [port <1–65535>]

Add an sFlow collector where you want to forward the sampled data. Specify the IP address and port number of the host you want to configure as the sFlow collector.

You can configure a maximum of five collectors. Run the command shown in the example separately to configure each collector.

Port number range: 1 to 65535

Default port number: 6343

Example

To add an sFlow collector, enter the following command:

system sflow collector add ip-address 192.0.2.10 port 6343

To delete an sFlow collector, enter the following command:

system sflow collector delete ip-address 192.0.2.10 port 6343

monitor [add|delete] interface-name <name> [sampling-rate <10–10,000,000>]

Specify the hardware interface you want to monitor and the sampling rate at which to sample the packets.

Sampling rate range: 10 to 10,000,000

Default sampling rate: 400

Example

To add an interface, enter the following command:

system sflow monitor add interface-name Port1 sampling-rate 1000

To delete an interface, enter the following command:

system sflow monitor delete interface-name Port1

polling-interval <30-300>

Use this option to poll the firewall's statistics and interface counters. Set the interval in seconds to specify how often to collect this data.

To turn polling off, set the polling interval to 0.

Range: 30 to 300 seconds

Default: 60 seconds

Example

To turn polling on, enter the following command:

system sflow polling-interval 80

To turn polling off, enter the following command:

system sflow polling-interval 0

[on|off]

Turn sFlow on to begin monitoring.

Default: off

Example

To turn sFlow on, enter the following command:

system sflow on

To turn sFlow off, enter the following command:

system sflow off

sflow show

Shows the current sFlow configuration.

Example

system sflow show