Configure NetFlow Exports
To use a NetFlow collector for analyzing the network traffic on firewall interfaces, perform the following steps to configure NetFlow record exports.
- Create a NetFlow server profile.The profile defines which NetFlow collectors will receive the exported records and specifies export parameters.
- Select DeviceServer ProfilesNetFlow and Add a profile.
- Enter a Name to identify the profile.
- Specify the rate at which the firewall refreshes NetFlow Templates in Minutes (default is 30) and Packets (exported records—default is 20), according to the requirements of your NetFlow collector. The firewall refreshes the templates after either threshold is passed.
- Specify the Active Timeout, which is the frequency in minutes at which the firewall exports records (default is 5).
- Select PAN-OS Field Types if you want the firewall to export App-ID and User-ID fields.
- Add each NetFlow collector
(up to two per profile) that will receive records. For each collector,
specify the following:
- Name to identify the collector.
- NetFlow Server hostname or IP address.
- Access Port (default 2055).
- Click OK to save the profile.
- Assign the NetFlow server profile to the firewall interfaces
that convey the traffic you want to analyze.In this example, you assign the profile to an existing Ethernet interface.
- Select NetworkInterfacesEthernet and
click an interface name to edit it.You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. For aggregate Ethernet interfaces, you can export records for the aggregate group but not for individual interfaces within the group.
- Select the NetFlow server profile (NetFlow Profile) you configured and click OK.
- Select NetworkInterfacesEthernet and click an interface name to edit it.
- (Required for PA-7000 Series and PA-5200 Series
firewalls) Configure a service route for the interface
that the firewall will use to send NetFlow records.You cannot use the management (MGT) interface to send NetFlow records from the PA-7000 Series and PA-5200 Series firewalls. For other firewall models, a service route is optional. For all firewalls, the interface that sends NetFlow records does not have to be the same as the interface for which the firewall collects the records.
- Select DeviceSetupServices.
- (Firewall with multiple virtual systems) Select
one of the following:
- Global—Select this option if the service route applies to all virtual systems on the firewall.
- Virtual Systems—Select this option if the service route applies to a specific virtual system. Set the Location to the virtual system.
- Select Service Route Configuration and Customize.
- Select the protocol (IPv4 or IPv6) that the interface uses. You can configure the service route for both protocols if necessary.
- Click Netflow in the Service column.
- Select the Source Interface.Any, Use default, and MGT are not valid interface options for sending NetFlow records from PA-7000 Series or PA-5200 Series firewalls.
- Select a Source Address (IP address).
- Click OK twice to save your changes.
- Commit your changes.
- Monitor the firewall traffic in a NetFlow collector.Refer to your NetFlow collector documentation.When monitoring statistics, you must match the interface indexes in the NetFlow collector with interface names in the firewall web interface. For details, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors.To troubleshoot NetFlow delivery issues, use the operational CLI command debug log-receiver netflow statistics.
Device > Server Profiles > NetFlow
Device > Server Profiles > NetFlow Palo Alto Networks firewalls can export statistics about the IP traffic on their interfaces as NetFlow fields to a ...
NetFlow Monitoring NetFlow is an industry-standard protocol that the firewall can use to export statistics about the IP traffic on its interfaces. The firewall exports ...
NetFlow Templates NetFlow collectors use templates to decipher the fields that the firewall exports. The firewall selects a template based on the type of exported ...
PA-7000 Series Layer 2 Subinterface
PA-7000 Series Layer 2 Subinterface Network > Interfaces > Ethernet For each Ethernet port configured as a physical Layer 2 interface, you can define an ...
PA-7000 Series Layer 2 Interface
PA-7000 Series Layer 2 Interface Network > Interfaces > Ethernet Select Network Interfaces Ethernet to configure a Layer 2 interface. click the name of an ...
IPv4 and IPv6 Support for Service Route Configuration
IPv4 and IPv6 Support for Service Route Configuration The following table shows IPv4 and IPv6 support for service route configurations on global and virtual systems. ...
Use External Services for Monitoring
Use External Services for Monitoring Using an external service to monitor the firewall enables you to receive alerts for important events, archive monitored information on ...
Aggregate Ethernet (AE) Interface Group
Aggregate Ethernet (AE) Interface Group Network > Interfaces > Ethernet An AE interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into ...
Ports Used for Management Functions
Ports Used for Management Functions The firewall and Panorama use the following ports for management functions. Destination Port Protocol Description 22 TCP Used for communication ...