Configure NetFlow Exports
Focus
Focus

Configure NetFlow Exports

Table of Contents

Configure NetFlow Exports

To use a NetFlow collector for analyzing the network traffic ingressing firewall interfaces, perform the following steps to configure NetFlow record exports.
  1. Create a NetFlow server profile.
    The profile defines which NetFlow collectors will receive the exported records and specifies export parameters.
    1. Select
      Device
      Server Profiles
      NetFlow
      and
      Add
      a profile.
    2. Enter a
      Name
      to identify the profile.
    3. Specify the rate at which the firewall refreshes NetFlow Templates in
      Minutes
      (default is 30) and
      Packets
      (exported records—default is 20), according to the requirements of your NetFlow collector. The firewall refreshes the templates after either threshold is passed.
    4. Specify the
      Active Timeout
      , which is the frequency in minutes at which the firewall exports records (default is 5).
    5. Select
      PAN-OS Field Types
      if you want the firewall to export App-ID and User-ID fields.
    6. Add
      each NetFlow collector (up to two per profile) that will receive records. For each collector, specify the following:
      • Name
        to identify the collector.
      • NetFlow Server
        hostname or IP address.
      • Access
        Port
        (default 2055).
    7. Click
      OK
      to save the profile.
  2. Assign the NetFlow server profile to the firewall interfaces where traffic you want to analyze is ingressing.
    In this example, you assign the profile to an existing Ethernet interface.
    1. Select
      Network
      Interfaces
      Ethernet
      and click an interface name to edit it.
      You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. For aggregate Ethernet interfaces, you can export records for the individual sub-interfaces that data flows through within the group.
    2. Select the NetFlow server profile (
      NetFlow Profile
      ) you configured and click
      OK
      .
  3. (
    Required for PA-7000 Series, PA-5400 Series, and PA-5200 Series firewalls
    )
    Configure a service route for the interface that the firewall will use to send NetFlow records.
    You cannot use the management (MGT) interface to send NetFlow records from the PA-7000 Series, PA-5400 Series, and PA-5200 Series firewalls. For other firewall models, a service route is optional. For all firewalls, the interface that sends NetFlow records does not have to be the same as the interface for which the firewall collects the records.
    1. Select
      Device
      Setup
      Services
      .
    2. (
      Firewall with multiple virtual systems
      )
      Select one of the following:
      • Global
        —Select this option if the service route applies to all virtual systems on the firewall.
      • Virtual Systems
        —Select this option if the service route applies to a specific virtual system. Set the
        Location
        to the virtual system.
    3. Select
      Service Route Configuration
      and Customize.
    4. Select the protocol (
      IPv4
      or
      IPv6
      ) that the interface uses. You can configure the service route for both protocols if necessary.
    5. Click
      Netflow
      in the Service column.
    6. Select the
      Source Interface
      .
      Any
      ,
      Use default
      , and
      MGT
      are not valid interface options for sending NetFlow records from PA-7000 Series, PA-5400 Series, or PA-5200 Series firewalls.
    7. Select a
      Source Address
      (IP address).
    8. Click
      OK
      twice to save your changes.
  4. Commit
    your changes.
  5. Monitor the firewall traffic in a NetFlow collector.
    Refer to your NetFlow collector documentation.
    When monitoring statistics, you must match the interface indexes in the NetFlow collector with interface names in the firewall web interface. For details, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors.
    To troubleshoot NetFlow delivery issues, use the operational CLI command
    debug log-receiver netflow statistics
    .

Recommended For You