NetFlow Support for PA-7000 Series Firewalls

PA-7000 Series firewalls now have the same ability as other Palo Alto Networks firewalls to export session-based NetFlow records to a NetFlow collector. This gives you more comprehensive visibility into how users and devices are using network resources.
  1. Select DeviceServer ProfilesNetFlow and Add a NetFlow server profile to define how the firewall connects to the NetFlow collector.
  2. Assign the NetFlow server profile to the firewall interfaces that convey the traffic you want to analyze.
    For example, to assign the profile to an existing Ethernet interface, select NetworkInterfacesEthernet, edit the interface, and select the NetFlow Profile.
    You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. For aggregate Ethernet interfaces, you can export records for the aggregate group but not for individual interfaces within the group.
  3. Select DeviceSetupServices and define a Service Route Configuration for the interface that the firewall will use to send NetFlow records.
    You do not have to select the same interface as the one for which the firewall collects NetFlow records. You cannot select the management (MGT) interface to send NetFlow records.
    NetFlow_service_route.png
  4. Commit your changes.
    You are now ready to monitor the firewall traffic in your NetFlow collector. Refer to your NetFlow collector documentation for instructions.

Related Documentation