Manufacturer:  Palo Alto Networks

Model(s):  All Firewalls

Version(s): PAN-OS 11.0

URL:  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/netflow-monitoring/configure-netflow-exports

Notes:

  • All Palo Alto Networks firewalls support NetFlow Version 9.
  • The firewalls perform NetFlow processing on all IP packets on the interfaces and do not support sampled NetFlow.
  • You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces.
  • For aggregate Ethernet sub-interfaces, you can export records for the individual sub-interfaces that data flows through within the group.
  • Required for the PA-7000 series, PA-5400 series and PA-5200 series firewalls, you must configure a service route for the interface that the firewall will use to send NetFlow records.
  • You cannot use the management (MGT) interface to send NetFlow records from the PA-7000 series, PA-5400 series and PA-5200 Series firewalls. For other firewall models, a service route is optional.
  • For all firewalls, the interface that sends NetFlow records does not have to be the same as the interface for which the firewall collects the records.

Configuration steps

  1. Go to Device > Server Profiles > Netflow
  2. Click Add to bring up the Netflow Server Profile.
  3. Add a Name for the Netflow Profile.
  1. Specify the rate at which the firewall refreshes NetFlow Templates in Minutes (default is 30) and Packets (exported records—default is 20), Plixer recommends using 1 minute and 20 records. The firewall refreshes the templates after either threshold is passed.
  1. Set the Active Timeout to 1 minute so the firewall exports records every 1 minute.
  1. Enable PAN-OS Field Types (exports APP-ID and User-IP fields in Netflow records).
  1. Add a Netflow Collector (up to two per profile) that will receive the Netflow records by clicking the Add button.
  2. Enter the Name (name to identify the collector) and NetFlow Server (host name or IP address of the server) field.
  3. The Access Port is automatically populated as 2055, but can be modified if needed.
  4. Click OK to save the profile.
  1. Assign the NetFlow server profile to the firewall interfaces where traffic you want to collect is entering. Select Network > Interfaces > Ethernet and click an interface name to edit it.
  2. Select the NetFlow server profile (NetFlow Profile) you configured and click OK.

Required for PA-7000 Series, PA-5400 Series and PA-5200 Series firewalls, configure a service route.

 

  1. Select Device > Setup > Services
  2. (Firewall with multiple virtual systems) Select one of the following:
    • Global – Select this option if the service route applies to all virtual systems on the firewall.
    • Virtual Systems – Select this option if the service route applies to a specific virtual system. Set the Location to the virtual system.
  3. Select Service Route Configuration and Customize.
  4. Select the protocol (IPv4 or IPv6) that the interface uses. You can configure the service route for both protocols if necessary.
  5. Click Netflow in the Service column.
  6. Select the Source Interface. AnyUse default, and MGT are not valid interface options for sending NetFlow records from PA-7000 Series, PA-5400 Series, or PA-5200 Series firewalls.
  1. Select a Source Address (IP address).
  2. Click OK twice to save your changes.
  3. Commit your changes.