To use a NetFlow collector for analyzing the
network traffic ingressing firewall interfaces, perform the following
steps to configure NetFlow record exports.
Create a NetFlow server profile.
The profile defines which NetFlow collectors will receive
the exported records and specifies export parameters.
Select DeviceServer ProfilesNetFlow and Add a
profile.
Enter a Name to identify the
profile.
Specify the rate at which the firewall refreshes NetFlow
Templates in Minutes (default is 30)
and Packets (exported records—default is
20), according to the requirements of your NetFlow collector. The
firewall refreshes the templates after either threshold is passed.
Specify the Active Timeout,
which is the frequency in minutes at which the firewall exports
records (default is 5).
Select PAN-OS Field Types if
you want the firewall to export App-ID and User-ID fields.
Add each NetFlow collector
(up to two per profile) that will receive records. For each collector,
specify the following:
Name to identify the collector.
NetFlow Server hostname or IP address.
Access Port (default 2055).
Click OK to save the profile.
Assign the NetFlow server profile to the firewall interfaces
that the traffic you want to analyze is ingressing.
In this example, you assign the profile to an existing
Ethernet interface.
Select NetworkInterfacesEthernet and click
an interface name to edit it.
You can export NetFlow records for Layer 3, Layer
2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. For
aggregate Ethernet interfaces, you can export records for the individual
sub-interfaces that data flows through within the group.
Select the NetFlow server profile (NetFlow
Profile) you configured and click OK.
(Required for PA-7000 Series and PA-5200 Series
firewalls) Configure a service route for the interface
that the firewall will use to send NetFlow records.
You cannot use the management (MGT) interface to send NetFlow
records from the PA-7000 Series and PA-5200 Series firewalls. For
other firewall models, a service route is optional. For all firewalls,
the interface that sends NetFlow records does not have to be the
same as the interface for which the firewall collects the records.
Select DeviceSetupServices.
(Firewall with multiple virtual systems) Select
one of the following:
Global—Select this option
if the service route applies to all virtual systems on the firewall.
Virtual Systems—Select this option
if the service route applies to a specific virtual system. Set the Location to
the virtual system.
Select Service Route Configuration and
Customize.
Select the protocol (IPv4 or IPv6)
that the interface uses. You can configure the service route for
both protocols if necessary.
Click Netflow in the Service
column.
Select the Source Interface.
Any, Use
default, and MGT are not valid
interface options for sending NetFlow records from PA-7000 Series
or PA-5200 Series firewalls.
Select a Source Address (IP
address).
Click OK twice to save your
changes.
Commit your changes.
Monitor the firewall traffic in a NetFlow collector.