NetFlow collectors use templates to decipher the fields
that the firewall exports. The firewall selects a template based
on the type of exported data: IPv4 or IPv6 traffic, with or without
NAT, and with standard or enterprise-specific (PAN-OS specific)
fields. The firewall periodically refreshes templates to re-evaluate
which one to use (in case the type of exported data changes) and
to apply any changes to the fields in the selected template. When
you Configure
NetFlow Exports, set the refresh rate based on a time interval
and a number of exported records according to the requirements of
your NetFlow collector. The firewall refreshes the templates after
either threshold is passed.
The Palo Alto Networks firewall supports the following NetFlow
templates:
Template
ID
IPv4 Standard
256
IPv4 Enterprise
257
IPv6 Standard
258
IPv6 Enterprise
259
IPv4 with NAT Standard
260
IPv4 with NAT Enterprise
261
IPv6 with NAT Standard
262
IPv6 with NAT Enterprise
263
The following table lists the NetFlow fields that the firewall
can send, along with the templates that define them:
Value
Field
Description
Templates
1
IN_BYTES
Incoming counter with length N * 8 bits
for the number of bytes associated with an IP flow. By default,
N is 4.
All templates
2
IN_PKTS
Incoming counter with length N * 8 bits
for the number of packets associated with an IP glow. By default,
N is 4.
All templates
4
PROTOCOL
IP protocol byte.
All templates
5
TOS
Type of Service byte setting when entering
the ingress interface.
All templates
6
TCP_FLAGS
Total of all the TCP flags in this flow.
All templates
7
L4_SRC_PORT
TCP/UDP source port number (for example,
FTP, Telnet, or equivalent).
System uptime in milliseconds when the last
packet of this flow was switched.
All templates
22
FIRST_SWITCHED
System uptime in milliseconds when the first
packet of this flow was switched.
All templates
27
IPV6_SRC_ADDR
IPv6 source address.
IPv6 standard
IPv6 enterprise
IPv6
with NAT standard
IPv6 with NAT enterprise
28
IPV6_DST_ADDR
IPv6 destination address.
IPv6 standard
IPv6 enterprise
IPv6
with NAT standard
IPv6 with NAT enterprise
32
ICMP_TYPE
Internet Control Message Protocol (ICMP)
packet type. This is reported as:
ICMP Type * 256 + ICMP code
All templates
61
DIRECTION
Flow direction:
0 = ingress
1 = egress
All templates
148
flowId
An identifier of a flow that is unique within
an observation domain. You can use this information element to distinguish
between different flows if flow keys such as IP addresses and port
numbers are not reported or are reported in separate records. The
flowID corresponds to the session ID field in Traffic and Threat
logs.
All templates
233
firewallEvent
Indicates a firewall event:
0
= Ignore (invalid)—Not used.
1 = Flow created—The NetFlow data record is for a new flow.
2 = Flow deleted—The NetFlow data record is for the end of
a flow.
3 = Flow denied—The NetFlow data record indicates a flow
that firewall policy denied.
4 = Flow alert—Not used.
5 = Flow update—The NetFlow data record is sent for a long-lasting flow,
which is a flow that lasts longer than the Active Timeout period configured
in the NetFlow server profile.
All templates
225
postNATSourceIPv4Address
The definition of this information element
is identical to that of sourceIPv4Address, except that it reports
a modified value that the firewall produced during network address translation
after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
226
postNATDestinationIPv4Address
The definition of this information element
is identical to that of destinationIPv4Address, except that it reports
a modified value that the firewall produced during network address
translation after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
227
postNAPTSourceTransportPort
The definition of this information element
is identical to that of sourceTransportPort, except that it reports
a modified value that the firewall produced during network address
port translation after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
228
postNAPTDestinationTransportPort
The definition of this information element
is identical to that of destinationTransportPort, except that it
reports a modified value that the firewall produced during network
address port translation after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
281
postNATSourceIPv6Address
The definition of this information element
is identical to the definition of information element sourceIPv6Address, except
that it reports a modified value that the firewall produced during
NAT64 network address translation after the packet traversed the
interface. See RFC 2460 for the definition
of the source address field in the IPv6 header. See RFC
6146 for NAT64 specification.
IPv6 with NAT standard
IPv6 with NAT enterprise
282
postNATDestinationIPv6Address
The definition of this information element
is identical to the definition of information element destinationIPv6Address, except
that it reports a modified value that the firewall produced during
NAT64 network address translation after the packet traversed the
interface. See RFC 2460 for the definition
of the destination address field in the IPv6 header. See RFC 6146 for NAT64 specification.
IPv6 with NAT standard
IPv6 with NAT enterprise
346
privateEnterpriseNumber
This is a unique private enterprise number
that identifies Palo Alto Networks: 25461.
IPv4 enterprise
IPv4 with NAT enterprise
IPv6
enterprise
IPv6 with NAT enterprise
56701
App-ID
The name of an application that App-ID identified.
The name can be up to 32 bytes.
IPv4 enterprise
IPv4 with NAT enterprise
IPv6
enterprise
IPv6 with NAT enterprise
56702
User-ID
A username that User-ID identified. The
name can be up to 64 bytes.