topic Re: How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode. in General Topics https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/234054#M67087 <P>Currently, we have two PA 5220 appliance deployed in HA mode and would like to configure Netflow profile to monitor statistic. But as per the documentation we need to change the service route other than Management interface for 5200 and 7000 series appliance. So I have changed the service route with subinterface and resp IP where Netflow server is reachable as per routing table.</P><P>&nbsp;</P><P>However, my question is that only active firewall sends NetFlow statistics to Netflow server as these are in HA pair... which command help me to show the statistics and packet sends to NetFlow successfully. As per my knowledge the below command shows the statistics on the 5220 appliance.</P><P>&nbsp;</P><P>debug dataplane netflow statistics</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Oct 2018 05:42:29 GMT AR00473455 2018-10-05T05:42:29Z How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode. https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/233864#M67037 <P>How PA 5220 appliance sends NetFlow packet when configured in HA and Vsys Mode. does the firewall find egress interface by looking into routing table for Netflow packets? If it is Yes, So why we need to change service route on PA 5220 appliance,</P><P>&nbsp;</P><P>Secondly, As appliance in HA pair so it sends statistics about active firewall only ?? Also would like to know about how other PA firewall models sends NetFlow packets and what is the purpose of service route to these model as well.</P> Thu, 04 Oct 2018 10:50:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/233864#M67037 AR00473455 2018-10-04T10:50:10Z Re: How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode. https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/233945#M67061 <P>huh?</P><P>&nbsp;</P><P>I'm not really certain what you're asking and trying to have clarified.</P><P>&nbsp;</P><P>&nbsp;</P><P>It's my understanding that on the 5200 series platform the internal hardware was redesigned and changed how netflow is allowed out of the firewall.&nbsp; As such a new separate&nbsp;interface for NF has to be utilized when wanting to send NF from the firewall.&nbsp; (BTW this change actually created a critical bug in the 5200 and anything less than 8.0.8 will crash a 5200 sending NF.)</P> Thu, 04 Oct 2018 15:56:02 GMT https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/233945#M67061 Brandon_Wertz 2018-10-04T15:56:02Z Re: How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode. https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/234054#M67087 <P>Currently, we have two PA 5220 appliance deployed in HA mode and would like to configure Netflow profile to monitor statistic. But as per the documentation we need to change the service route other than Management interface for 5200 and 7000 series appliance. So I have changed the service route with subinterface and resp IP where Netflow server is reachable as per routing table.</P><P>&nbsp;</P><P>However, my question is that only active firewall sends NetFlow statistics to Netflow server as these are in HA pair... which command help me to show the statistics and packet sends to NetFlow successfully. As per my knowledge the below command shows the statistics on the 5220 appliance.</P><P>&nbsp;</P><P>debug dataplane netflow statistics</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Oct 2018 05:42:29 GMT https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/234054#M67087 AR00473455 2018-10-05T05:42:29Z Re: How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode. https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/234113#M67110 <P>Hello,</P><P>It depends on how your HA is setup, active-active or active-passive. If its active-passive, then the 'passive' firewall is not passing traffic so there is no netflow. If active-active, then the secondary PAN is passing traffic and should be sending netflow.</P><P>&nbsp;</P><P>Hope this helps.</P> Fri, 05 Oct 2018 13:38:31 GMT https://live.paloaltonetworks.com/t5/general-topics/how-pa-5220-appliance-sends-netflow-packet-when-configured-in-ha/m-p/234113#M67110 OtakarKlier 2018-10-05T13:38:31Z