Configuring Flow Exports on Palo Alto Devices
For NetFlow analysis, you need to configure your devices to export flows to Site24x7 On-Premise Poller, which is the NetFlow collector. The On-Premise Poller will be listening to the particular port to receive flows. Learn how to find the port number of your On-Premise Poller.
Perform the following steps to configure NetFlow record exports:
- Create a NetFlow server profile.
- Assign the NetFlow server profile to the interfaces that convey the traffic.
- Configure a service route for the interface that the firewall will use to send NetFlow records (Required for PA-7000 Series and PA-5200 Series firewalls).
- Commit your changes
Step 1: Create a NetFlow server profile.
This step defines Site24x7 as the NetFlow collector which will received the exported records. Follow the steps below:
- Log in to your Palo Alto device.
- Go to Device > Server Profiles > NetFlow and Add a profile.
- Name: Enter a name to identify the profile.
- Under Template Refresh Rate, specify the rate at which the device refreshes NetFlow Templates in Minutes (default is 30) and Packets (exported records—default is 20).
- Active Timeout: Specify the Active Timeout, which is the frequency in minutes at which the firewall exports records (default is 5).
- Check the box next to PAN-OS Field Types if you want the firewall to export App-ID and User-ID fields.
- Add NetFlow collector that will receive records by specifying the following:
- Name: Name to identify the collector.
- NetFlow Server: Hostname or IP address of the machine on which Site24x7 On-Premise Poller is installed.
- Port: Access Port (Learn how to find the port number of your On-Premise Poller).
- Click OK.
Step 2: Assign the NetFlow server profile to the interfaces that convey the traffic.
Once you have configured the NetFlow profile, the next step is to assign the profile to firewall interface
- Go to Network > Interfaces > Ethernet and click an interface name to edit it.
- Select the NetFlow server profile (NetFlow Profile) you configured and click OK.
Step 3: Configure a service route for the interface that the firewall will use to send NetFlow records (Required for PA-7000 Series and PA-5200 Series firewalls).
- Go to Device > Setup > Services.
- (Firewall with multiple virtual systems) Select one of the following:
- Global: Select this if the service route applies to all virtual systems on the firewall.
- Virtual Systems: Select this if the service route applies to a specific virtual system. Set the Location to the virtual system.
- Select Service Route Configuration and Customize.
- Select the protocol (IPv4 or IPv6) that the interface uses. You can configure the service route for both protocols if necessary.
- Click Netflow in the Service column.
- Select the Source Interface.
Any, Use default, and MGT are not valid interface options for sending NetFlow records from PA-7000 Series or PA-5200 Series firewalls. - Select a Source Address (IP address).
- Click OK twice to save your changes.
Step 4: Commit your changes.
Commit all your above changes
To troubleshoot NetFlow delivery issues, use the operational command-line interface (CLI) command
debug log-receiver netflow statistics
For more details, refer to Palo Alto's official documentation.