topic Re: PA-5220 and Netflow in General Topics

PA-5220 and Netflow

RenoRLaskey — Thu, 15 Mar 2018 21:48:49 GMT

I have a PA-5220 and I am trying to configure a Netflow export out to my solarwinds server which is located at a remote site across a VPN tunnel.

I am aware that I cannot use the MGMT interface to export netwflow with this particular device, but I am not all that thrilled about using any of the other interfaces, nor do I want to create a whole new subnet just for this...

I currently setup another interface within the mgmt vlan that the MGMT ports also sit, but interestingly the Palo is complaining about duplicate IP conflict. That being said it functionally seems to be working out.

But due to the error messages this doesn't seem like the way to go. Just curious what the rest of you might be doing, maybe there is a more obvious solution to this I haven't picked up on... or maybe I can just kill the error messages.

Re: PA-5220 and Netflow

mlinsemier — Fri, 16 Mar 2018 14:33:20 GMT

In our case we are exporting Netflow on one of our internal layer 3 routed interfaces. We had to adjust the internal service route to accomidate this but it seems to work without issue. We do of course have the extra burden of netflow traffic on that internal interface, but its not an issue in our case as we have a 20G trunk.

- Matt

Re: PA-5220 and Netflow

OtakarKlier — Fri, 16 Mar 2018 16:24:25 GMT

Hello @RenoRLaskey,

Why cannot you use the management interface for your netflow export? We are and it works as expected. Check your 'Service Routes' config and it should tell you which interface is being used.

Regards,

Re: PA-5220 and Netflow

mlinsemier — Fri, 16 Mar 2018 16:33:39 GMT

@OtakarKlier

The management interface is not supported for Netflow export (even though its in the list) on the new PAN-5220 hardware. It has something to do with the way the traffic is processed by the dataplane in the new hardware that Netflow traffic is not sent to the management plane. It took a case with Palo Alto to determine this and the fix (as its not or wasn't documented at the time). On our new PAN-220 models, you can still export Netflow via the management interface like normal. I'm not sure about the newer PAN-800 and PAN-32xx models.

On the plus side, because Netflow is now processed differently, you can get exports from subinterfaces now as well, which apparently wasn't supported before (and the support engineer kept insiting that it still wasn't supported even though I was showing him flows in LiveNX).

Re: PA-5220 and Netflow

OtakarKlier — Fri, 16 Mar 2018 16:34:25 GMT

Thanks for the education @mlinsemier, I dont have any of that fancy new hardware :).

Re: PA-5220 and Netflow

mlinsemier — Fri, 16 Mar 2018 16:37:37 GMT

@OtakarKlier

Funny thing about this (and I would suggest reaching out to your account manager), it was less expensive for us to upgrade our PAN-5060 to PAN-5220 including subscriptions than it was to just renew the subscriptions on the older PAN-5060s. Food for thought.