NetFlow Templates
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
NetFlow Templates
NetFlow collectors use templates to decipher the fields
that the firewall exports. The firewall selects a template based
on the type of exported data: IPv4 or IPv6 traffic, with or without
NAT, and with standard or enterprise-specific (PAN-OS specific)
fields. The firewall periodically refreshes templates to re-evaluate
which one to use (in case the type of exported data changes) and
to apply any changes to the fields in the selected template. When
you Configure
NetFlow Exports, set the refresh rate based on a time interval
and a number of exported records according to the requirements of
your NetFlow collector. The firewall refreshes the templates after
either threshold is passed.
The Palo Alto Networks firewall supports the following NetFlow
templates:
Template | ID |
---|---|
IPv4 Standard | 256 |
IPv4 Enterprise | 257 |
IPv6 Standard | 258 |
IPv6 Enterprise | 259 |
IPv4 with NAT Standard | 260 |
IPv4 with NAT Enterprise | 261 |
IPv6 with NAT Standard | 262 |
IPv6 with NAT Enterprise | 263 |
The following table lists the NetFlow fields that the firewall
can send, along with the templates that define them:
Value | Field | Description | Templates |
---|---|---|---|
1 | IN_BYTES | Incoming counter with length N * 8 bits
for the number of bytes associated with an IP flow. By default,
N is 4. | All templates |
2 | IN_PKTS | Incoming counter with length N * 8 bits
for the number of packets associated with an IP glow. By default,
N is 4. | All templates |
4 | PROTOCOL | IP protocol byte. | All templates |
5 | TOS | Type of Service byte setting when entering
the ingress interface. | All templates |
6 | TCP_FLAGS | Total of all the TCP flags in this flow. | All templates |
7 | L4_SRC_PORT | TCP/UDP source port number (for example,
FTP, Telnet, or equivalent). | All templates |
8 | IPV4_SRC_ADDR | IPv4 source address. | IPv4 standard IPv4 enterprise IPv4
with NAT standard IPv4 with NAT enterprise |
10 | INPUT_SNMP | Input interface index. The value length
is 2 bytes by default, but higher values are possible. For details
on how Palo Alto Networks firewalls generate interface indexes,
see Firewall
Interface Identifiers in SNMP Managers and NetFlow Collectors. | All templates |
11 | L4_DST_PORT | TCP/UDP destination port number (for example,
FTP, Telnet, or equivalent). | All templates |
12 | IPV4_DST_ADDR | IPv4 destination address. | IPv4 standard IPv4 enterprise IPv4
with NAT standard IPv4 with NAT enterprise |
14 | OUTPUT_SNMP | Output interface index. The value length
is 2 bytes by default, but higher values are possible. For details
on how Palo Alto Networks firewalls generate interface indexes,
see Firewall
Interface Identifiers in SNMP Managers and NetFlow Collectors. | All templates |
21 | LAST_SWITCHED | System uptime in milliseconds when the last
packet of this flow was switched. | All templates |
22 | FIRST_SWITCHED | System uptime in milliseconds when the first
packet of this flow was switched. | All templates |
27 | IPV6_SRC_ADDR | IPv6 source address. | IPv6 standard IPv6 enterprise IPv6
with NAT standard IPv6 with NAT enterprise |
28 | IPV6_DST_ADDR | IPv6 destination address. | IPv6 standard IPv6 enterprise IPv6
with NAT standard IPv6 with NAT enterprise |
32 | ICMP_TYPE | Internet Control Message Protocol (ICMP)
packet type. This is reported as: ICMP Type * 256 + ICMP code | All templates |
61 | DIRECTION | Flow direction:
| All templates |
148 | flowId | An identifier of a flow that is unique within
an observation domain. You can use this information element to distinguish
between different flows if flow keys such as IP addresses and port
numbers are not reported or are reported in separate records. The
flowID corresponds to the session ID field in Traffic and Threat
logs. | All templates |
233 | firewallEvent | Indicates a firewall event:
| All templates |
225 | postNATSourceIPv4Address | The definition of this information element
is identical to that of sourceIPv4Address, except that it reports
a modified value that the firewall produced during network address translation
after the packet traversed the interface. | IPv4 with NAT standard IPv4 with NAT enterprise |
226 | postNATDestinationIPv4Address | The definition of this information element
is identical to that of destinationIPv4Address, except that it reports
a modified value that the firewall produced during network address
translation after the packet traversed the interface. | IPv4 with NAT standard IPv4 with NAT enterprise |
227 | postNAPTSourceTransportPort | The definition of this information element
is identical to that of sourceTransportPort, except that it reports
a modified value that the firewall produced during network address
port translation after the packet traversed the interface. | IPv4 with NAT standard IPv4 with NAT enterprise |
228 | postNAPTDestinationTransportPort | The definition of this information element
is identical to that of destinationTransportPort, except that it
reports a modified value that the firewall produced during network
address port translation after the packet traversed the interface. | IPv4 with NAT standard IPv4 with NAT enterprise |
281 | postNATSourceIPv6Address | The definition of this information element
is identical to the definition of information element sourceIPv6Address, except
that it reports a modified value that the firewall produced during
NAT64 network address translation after the packet traversed the
interface. See RFC 2460 for the definition
of the source address field in the IPv6 header. See RFC
6146 for NAT64 specification. | IPv6 with NAT standard IPv6 with NAT enterprise |
282 | postNATDestinationIPv6Address | The definition of this information element
is identical to the definition of information element destinationIPv6Address, except
that it reports a modified value that the firewall produced during
NAT64 network address translation after the packet traversed the
interface. See RFC 2460 for the definition
of the destination address field in the IPv6 header. See RFC 6146 for NAT64 specification. | IPv6 with NAT standard IPv6 with NAT enterprise |
346 | privateEnterpriseNumber | This is a unique private enterprise number
that identifies Palo Alto Networks: 25461. | IPv4 enterprise IPv4 with NAT enterprise IPv6
enterprise IPv6 with NAT enterprise |
56701 | App-ID | The name of an application that App-ID identified.
The name can be up to 32 bytes. | IPv4 enterprise IPv4 with NAT enterprise IPv6
enterprise IPv6 with NAT enterprise |
56702 | User-ID | A username that User-ID identified. The
name can be up to 64 bytes. | IPv4 enterprise IPv4 with NAT enterprise IPv6
enterprise IPv6 with NAT enterprise |