topic Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version in General Topics

Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

RoneyRajan123 — Mon, 05 Sep 2022 18:11:34 GMT

Netflow is not working after upgrading to the 10.1.6-h6, is it something know issue in the 10.1.6-h6 PAN-OS version?

Firewall- PA-3220

I have checked the NetFlow statics and seen that the firewall is sending the NetFlow log.

for reference, I am also attaching the TCP dump snapshot.

Can someone advice me please

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

RoneyRajan123 — Tue, 06 Sep 2022 03:55:26 GMT

Can someone please advise me on the above queries.

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

PavelK — Tue, 06 Sep 2022 06:45:11 GMT

Hello @RoneyRajan123

I could not find any bug in release note that might have caused this. I had similar issue once before that was resolved by simply detaching NetFlow profile from interface, committing change and putting it back and committing again. Could you try this?

Kind Regards

Pavel

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

RoneyRajan123 — Tue, 06 Sep 2022 08:41:16 GMT

Thank you for your response, Pavel.

I tried it but there is no hope.

In the firewall, I could able to see Netflow statistics.

It is transmitting, however it is not receiving the Qradar server.

Issue started after the firewall upgradation.

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

OtakarKlier — Tue, 06 Sep 2022 19:14:44 GMT

Hello,

Is there a way to do a pcap on the Qradar to see if its getting the packets? Perhaps something between the devices is blocking/dropping the traffic?

Regards,

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

Adrian_Jensen — Tue, 06 Sep 2022 20:45:08 GMT

In addition to what @OtakarKlier said about verifying packet. If packets are being received at Qradar it may be that the Netflow source UniqueID sent by the PaloAlto may have changed when upgrading. Netflow receivers may use the source IP and/or the UniqueID (a 32bit unique source identifier) to match incoming packets to devices. You may have to re-associate the PaloAlto object in Qradar with its UniqueID.

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

RoneyRajan123 — Wed, 07 Sep 2022 06:38:50 GMT

Hi @Adrian_Jensen @OtakarKlier Thank you so much for your advices.

I will check it and update you from the Qradar side after performing the TCP dump.

Meantime I have a question on the "Net flow Unique ID", as mentioned by the @Adrian_Jensen

In our case sender is the "PA" and receiver is the "Qradar", do I need to check the Unique ID on Qradar or our PA firewall.

Is there is any way I can check this unique ID on PA firewall.

Because we only did changes on PA firewall (upgradation) after that only issue arised.

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

OtakarKlier — Wed, 07 Sep 2022 14:12:20 GMT

Hello,

I would just look on the Qradar and make sure the traffic is getting there. You shouldn't have to adjust the Unique ID.

Regards,

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

RoneyRajan123 — Wed, 07 Sep 2022 17:40:54 GMT

Hi @OtakarKlier @Adrian_Jensen

The correction was there in between the firewall and Qradar, I have verified

however the NetFlow log is not receiving at Qradar after upgradation.

At firewall NetFlow logs is sending.

can anyone advice me more troubleshooting step.

Re: Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

Adrian_Jensen — Thu, 08 Sep 2022 00:07:55 GMT

You say the firewall is sending Netflow traffic. Are the Netflow packets being sent from the switch port connected to the Qradar?

If the packets are leaving the PaloAlto and being sent out the switch port connected to Qradar, then it seems like Qradar is not matching the incoming packets to the previous device profile. Sorry, I'm not familiar with exactly how Qradar is configured. But Netflow receivers generally have an "object" defined for the traffic source which is used to match inbound traffic to previously known devices. Can you try re-associating this object with the incoming packets?

The UniqueID sent by the PaloAlto is not something that can be changed. It is suppose to by a totally unique automatically created number in the Netflow source provider. That number may change it Netflow is sent from different interfaces or after major config changes - For instance, when I changed a bunch of Cisco routers to send Netflow from a management interface, instead of a routing interface, the UniqueID changed. I had to delete/recreate the source objects in Scrutinizer to match the new source IP/UniqueID pairing.