How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode.

How PA 5220 appliance sends NetFlow packet when configured in HA and Vsys Mode. does the firewall find egress interface by looking into routing table for Netflow packets? If it is Yes, So why we need to change service route on PA 5220 appliance,

 

Secondly, As appliance in HA pair so it sends statistics about active firewall only ?? Also would like to know about how other PA firewall models sends NetFlow packets and what is the purpose of service route to these model as well.

Cyber Elite

huh?

 

I'm not really certain what you're asking and trying to have clarified.

 

 

It's my understanding that on the 5200 series platform the internal hardware was redesigned and changed how netflow is allowed out of the firewall.  As such a new separate interface for NF has to be utilized when wanting to send NF from the firewall.  (BTW this change actually created a critical bug in the 5200 and anything less than 8.0.8 will crash a 5200 sending NF.)

Highlighted
L1 Bithead

Currently, we have two PA 5220 appliance deployed in HA mode and would like to configure Netflow profile to monitor statistic. But as per the documentation we need to change the service route other than Management interface for 5200 and 7000 series appliance. So I have changed the service route with subinterface and resp IP where Netflow server is reachable as per routing table.

 

However, my question is that only active firewall sends NetFlow statistics to Netflow server as these are in HA pair... which command help me to show the statistics and packet sends to NetFlow successfully. As per my knowledge the below command shows the statistics on the 5220 appliance.

 

debug dataplane netflow statistics

 

 

 

 

 

 

 

 

 

 

 

 

Highlighted
Cyber Elite

Hello,

It depends on how your HA is setup, active-active or active-passive. If its active-passive, then the 'passive' firewall is not passing traffic so there is no netflow. If active-active, then the secondary PAN is passing traffic and should be sending netflow.

 

Hope this helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!