https://live.paloaltonetworks.com/t5/general-topics/netflow-firewallevent/m-p/163944#M53005 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/67727">@evanskie</a>,</P><P>I&nbsp;<EM>think</EM> this would likely make more sense if it just called 'flow' what it trully is refering to, a session. I could be wrong on that though.&nbsp;</P><P>If I'm right that would make it essentially be&nbsp;</P><P>1 = Flow created</P><P>2 = Flow deleted</P><P>3 = Flow denied</P><P>4 = Flow alert</P><P>5 = Flow update</P><P>Would actually mean</P><P>1) Session Created</P><P>2) Session Deleted. &nbsp; &nbsp;</P><P>3) Session Denied.</P><P>4) &nbsp;? If I would have to guess I would say this triggers if a DoS profile is tripped, I would have to test this out to be sure though. &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P><P>5) Session switched from Active to Drop due to something like an applicaiton change.&nbsp;</P><P>&nbsp;</P><P>The document is included in all of the 7.1 administration guides and I would assume 8.0 as well, but no further description was provided in the 7.0 and 7.1 administration guides when I looked.&nbsp;</P> Thu, 29 Jun 2017 22:41:22 GMT BPry 2017-06-29T22:41:22Z https://live.paloaltonetworks.com/t5/general-topics/netflow-firewallevent/m-p/163926#M53003 <P>Hi,</P><P>what does the content of the firewallEvent field mean? Is there a better documentation than this document?</P><P>-&gt; <A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/netflow-templates" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/netflow-templates</A></P><P>&nbsp;</P><P>Especially what is the difference between "Flow created" and "Flow deleted"?</P><P>Is "Flow created" a flow with a duration shorter than a defined timeout and "Flow deleted" a very short-lived flow?</P><P>&nbsp;</P><P>"Flow updated" seems to be a long lasting flow exported in separate parts, but the document states:</P><P>"the session state changed from active to deny". I am unsure about that.</P><P>&nbsp;</P><P>When would "Flow alerted" be generated? It never pops up in my collector software.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 Jun 2017 22:05:26 GMT https://live.paloaltonetworks.com/t5/general-topics/netflow-firewallevent/m-p/163926#M53003 evanskie 2017-06-29T22:05:26Z https://live.paloaltonetworks.com/t5/general-topics/netflow-firewallevent/m-p/163944#M53005 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/67727">@evanskie</a>,</P><P>I&nbsp;<EM>think</EM> this would likely make more sense if it just called 'flow' what it trully is refering to, a session. I could be wrong on that though.&nbsp;</P><P>If I'm right that would make it essentially be&nbsp;</P><P>1 = Flow created</P><P>2 = Flow deleted</P><P>3 = Flow denied</P><P>4 = Flow alert</P><P>5 = Flow update</P><P>Would actually mean</P><P>1) Session Created</P><P>2) Session Deleted. &nbsp; &nbsp;</P><P>3) Session Denied.</P><P>4) &nbsp;? If I would have to guess I would say this triggers if a DoS profile is tripped, I would have to test this out to be sure though. &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P><P>5) Session switched from Active to Drop due to something like an applicaiton change.&nbsp;</P><P>&nbsp;</P><P>The document is included in all of the 7.1 administration guides and I would assume 8.0 as well, but no further description was provided in the 7.0 and 7.1 administration guides when I looked.&nbsp;</P> Thu, 29 Jun 2017 22:41:22 GMT https://live.paloaltonetworks.com/t5/general-topics/netflow-firewallevent/m-p/163944#M53005 BPry 2017-06-29T22:41:22Z https://live.paloaltonetworks.com/t5/general-topics/netflow-firewallevent/m-p/164011#M53016 <P>Thanks for your reply.</P><P>&nbsp;</P><P>From my understanding a unique flow is determined by the tuple SRC-Ip/SRC-Port and DST-Ip/DST-Port.</P><P>&nbsp;</P><P>I analyzed the flow data in my environment (ELK-Stack) and there are only entries of unique flows which are tagged either with "Flow create" or "Flow deleted". So there must be an other explanation for that.</P><P>&nbsp;</P><P>For "Flow update" I can see multiple entries for the same flow exported about every 15 minutes (long lasting SSH-Connections).</P><P>&nbsp;</P><P>"Flow denied" is clear: this flow was dropped by the firewall.</P><P>&nbsp;</P><P>Someone else some ideas?</P> Fri, 30 Jun 2017 07:59:41 GMT https://live.paloaltonetworks.com/t5/general-topics/netflow-firewallevent/m-p/164011#M53016 evanskie 2017-06-30T07:59:41Z