topic Re: Netflow export into IPsec tunnel... in General Topics

Netflow export into IPsec tunnel...

megrez80 — Wed, 12 Feb 2020 21:21:33 GMT

I'm trying to get netflow to export through a vpn tunnel on my PA-VM V9.1 firewall. My route and policy into the tunnel for the target collector is working because I can ping the collector through the tunnel. So I figure I need to change the default service route for netflow, but I'm unable to specify any of the dataplane interfaces/addresses either in the UI or the CLI.

Any ideas?

Re: Netflow export into IPsec tunnel...

BPry — Wed, 12 Feb 2020 22:47:38 GMT

@megrez80,

Can you share a screenshot of what you are seeing when you attempt to modify the service route? This should be as simple as specifying the follow CLI command or doing it in the GUI, there shouldn't be anything special you need.

set deviceconfig system route service netflow source interface <value> address <value>

Re: Netflow export into IPsec tunnel...

megrez80 — Thu, 13 Feb 2020 00:23:42 GMT

Here's the result of my command:

admin@PA-VM# set deviceconfig system route service netflow source interface ethernet1/2 address 10.0.0.222

Server error : route -> service -> netflow -> source -> interface 'ethernet1/2' is not a valid reference
route -> service -> netflow -> source -> interface is invalid

the interface exists:

admin@PA-VM> show interface all

total configured hardware interfaces: 4

name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 auto/auto/up 0a:9d:bd:58:88:13
ethernet1/2 17 auto/auto/up 0a:24:dc:a2:f2:67
loopback 3 [n/a]/[n/a]/up ba:db:ee:fb:ad:03
tunnel 4 [n/a]/[n/a]/up ba:db:ee:fb:ad:04

Re: Netflow export into IPsec tunnel...

BPry — Thu, 13 Feb 2020 02:44:17 GMT

@megrez80,

If you tab autocomplete when you are entering in that command, do you actually get the interface and the address to populate correctly? The main reason I ask is that the address doesn't appear to be correct, I would expect the full cidr notation. Not sure if you sanitized it and accidentally removed the CIDR or if you are hand typing the entire command.

You can attempt to modify the XML file and load it back into the firewall and see if it validates the configuration; the following would need to go under <deviceconfig>

<route> <service> <entry name="autofocus"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="crl-status"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="deployments"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="dns"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="edl-updates"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="email"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="http"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="kerberos"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="ldap"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="mdm"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="mfa"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="netflow"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="ntp"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="paloalto-networks-services"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="panorama"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="proxy"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="radius"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="scep"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="snmp"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="syslog"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="tacplus"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="uid-agent"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="url-updates"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="vmmonitor"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> <entry name="wildfire-private"> <source> <address>10.0.0.222/32</address> <interface>ethernet1/2</interface> </source> </entry> </service>

You should have something that looks like this already within the deviceconfig section, just replace it with what is specified above and update the cidr notation to whatever you actually have configured.

Re: Netflow export into IPsec tunnel...

megrez80 — Thu, 13 Feb 2020 13:44:42 GMT

Using autocomplete does not display any of the ethernet interfaces, only the loopback interface that I created (and tried to use).

I exported the running-config.xml file and modified it for the netflow service, but I'm getting an error trying to import it back in:

scp import configuration from myuser@myhost.mydom.com:mypath
myuser@myhost.mydom.com's password:
/tmp/cli.tmp.b2CqGy: Not a directory

Re: Netflow export into IPsec tunnel...

megrez80 — Thu, 13 Feb 2020 16:03:19 GMT

An update:

I got the netflow into the tunnel using my loopback interface in the netflow service route configuration. I had initially not configured the loopback interface in a zone and using the virtual router. Once I did that, and moved my policy above all others, things started flowing.

It's still a mystery though why the ethernet interfaces don't show up in the UI or CLI when trying to configure a service route.