NetFlow Templates

NetFlow collectors use templates to decipher the fields that the firewall exports. The firewall selects a template based on the type of exported data: IPv4 or IPv6 traffic, with or without NAT, and with standard or enterprise-specific (PAN-OS specific) fields. The firewall periodically refreshes templates to re-evaluate which one to use (in case the type of exported data changes) and to apply any changes to the fields in the selected template. When you Configure NetFlow Exports, set the refresh rate based on a time interval and a number of exported records according to the requirements of your NetFlow collector. The firewall refreshes the templates after either threshold is passed.
The Palo Alto Networks firewall supports the following NetFlow templates:
Template
ID
IPv4 Standard
256
IPv4 Enterprise
257
IPv6 Standard
258
IPv6 Enterprise
259
IPv4 with NAT Standard
260
IPv4 with NAT Enterprise
261
IPv6 with NAT Standard
262
IPv6 with NAT Enterprise
263
The following table lists the NetFlow fields that the firewall can send, along with the templates that define them:
Value
Field
Description
Templates
1
IN_BYTES
Incoming counter with length N * 8 bits for the number of bytes associated with an IP flow. By default, N is 4.
All templates
2
IN_PKTS
Incoming counter with length N * 8 bits for the number of packets associated with an IP glow. By default, N is 4.
All templates
4
PROTOCOL
IP protocol byte.
All templates
5
TOS
Type of Service byte setting when entering the ingress interface.
All templates
6
TCP_FLAGS
Total of all the TCP flags in this flow.
All templates
7
L4_SRC_PORT
TCP/UDP source port number (for example, FTP, Telnet, or equivalent).
All templates
8
IPV4_SRC_ADDR
IPv4 source address.
IPv4 standard
IPv4 enterprise
IPv4 with NAT standard
IPv4 with NAT enterprise
10
INPUT_SNMP
Input interface index. The value length is 2 bytes by default, but higher values are possible. For details on how Palo Alto Networks firewalls generate interface indexes, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors.
All templates
11
L4_DST_PORT
TCP/UDP destination port number (for example, FTP, Telnet, or equivalent).
All templates
12
IPV4_DST_ADDR
IPv4 destination address.
IPv4 standard
IPv4 enterprise
IPv4 with NAT standard
IPv4 with NAT enterprise
14
OUTPUT_SNMP
Output interface index. The value length is 2 bytes by default, but higher values are possible. For details on how Palo Alto Networks firewalls generate interface indexes, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors.
All templates
21
LAST_SWITCHED
System uptime in milliseconds when the last packet of this flow was switched.
All templates
22
FIRST_SWITCHED
System uptime in milliseconds when the first packet of this flow was switched.
All templates
27
IPV6_SRC_ADDR
IPv6 source address.
IPv6 standard
IPv6 enterprise
IPv6 with NAT standard
IPv6 with NAT enterprise
28
IPV6_DST_ADDR
IPv6 destination address.
IPv6 standard
IPv6 enterprise
IPv6 with NAT standard
IPv6 with NAT enterprise
32
ICMP_TYPE
Internet Control Message Protocol (ICMP) packet type. This is reported as:
ICMP Type * 256 + ICMP code
All templates
61
DIRECTION
Flow direction:
  • 0 = ingress
  • 1 = egress
All templates
148
flowId
An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs.
All templates
233
firewallEvent
Indicates a firewall event:
  • 0 = Ignore (invalid)—Not used.
  • 1 = Flow created—The NetFlow data record is for a new flow.
  • 2 = Flow deleted—The NetFlow data record is for the end of a flow.
  • 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied.
  • 4 = Flow alert—Not used.
  • 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile.
All templates
225
postNATSourceIPv4Address
The definition of this information element is identical to that of sourceIPv4Address, except that it reports a modified value that the firewall produced during network address translation after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
226
postNATDestinationIPv4Address
The definition of this information element is identical to that of destinationIPv4Address, except that it reports a modified value that the firewall produced during network address translation after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
227
postNAPTSourceTransportPort
The definition of this information element is identical to that of sourceTransportPort, except that it reports a modified value that the firewall produced during network address port translation after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
228
postNAPTDestinationTransportPort
The definition of this information element is identical to that of destinationTransportPort, except that it reports a modified value that the firewall produced during network address port translation after the packet traversed the interface.
IPv4 with NAT standard
IPv4 with NAT enterprise
281
postNATSourceIPv6Address
The definition of this information element is identical to the definition of information element sourceIPv6Address, except that it reports a modified value that the firewall produced during NAT64 network address translation after the packet traversed the interface. See RFC 2460 for the definition of the source address field in the IPv6 header. See RFC 6146 for NAT64 specification.
IPv6 with NAT standard
IPv6 with NAT enterprise
282
postNATDestinationIPv6Address
The definition of this information element is identical to the definition of information element destinationIPv6Address, except that it reports a modified value that the firewall produced during NAT64 network address translation after the packet traversed the interface. See RFC 2460 for the definition of the destination address field in the IPv6 header. See RFC 6146 for NAT64 specification.
IPv6 with NAT standard
IPv6 with NAT enterprise
346
privateEnterpriseNumber
This is a unique private enterprise number that identifies Palo Alto Networks: 25461.
IPv4 enterprise
IPv4 with NAT enterprise
IPv6 enterprise
IPv6 with NAT enterprise
56701
App-ID
The name of an application that App-ID identified. The name can be up to 32 bytes.
IPv4 enterprise
IPv4 with NAT enterprise
IPv6 enterprise
IPv6 with NAT enterprise
56702
User-ID
A username that User-ID identified. The name can be up to 64 bytes.
IPv4 enterprise
IPv4 with NAT enterprise
IPv6 enterprise
IPv6 with NAT enterprise

Related Documentation