This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode.

AR00473455
L1 Bithead

‎10-04-2018 03:50 AM

How PA 5220 appliance sends NetFlow packet when configured in HA and Vsys Mode. does the firewall find egress interface by looking into routing table for Netflow packets? If it is Yes, So why we need to change service route on PA 5220 appliance,

 

Secondly, As appliance in HA pair so it sends statistics about active firewall only ?? Also would like to know about how other PA firewall models sends NetFlow packets and what is the purpose of service route to these model as well.

0 Likes Likes
3 REPLIES 3

Brandon_Wertz
L6 Presenter

‎10-04-2018 08:53 AM - edited ‎10-04-2018 08:56 AM

huh?

 

I'm not really certain what you're asking and trying to have clarified.

 

 

It's my understanding that on the 5200 series platform the internal hardware was redesigned and changed how netflow is allowed out of the firewall.  As such a new separate interface for NF has to be utilized when wanting to send NF from the firewall.  (BTW this change actually created a critical bug in the 5200 and anything less than 8.0.8 will crash a 5200 sending NF.)

0 Likes Likes

AR00473455
L1 Bithead
In response to Brandon_Wertz

‎10-04-2018 10:42 PM

Currently, we have two PA 5220 appliance deployed in HA mode and would like to configure Netflow profile to monitor statistic. But as per the documentation we need to change the service route other than Management interface for 5200 and 7000 series appliance. So I have changed the service route with subinterface and resp IP where Netflow server is reachable as per routing table.

 

However, my question is that only active firewall sends NetFlow statistics to Netflow server as these are in HA pair... which command help me to show the statistics and packet sends to NetFlow successfully. As per my knowledge the below command shows the statistics on the 5220 appliance.

 

debug dataplane netflow statistics

 

 

 

 

 

 

 

 

 

 

 

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to AR00473455

‎10-05-2018 06:38 AM

Hello,

It depends on how your HA is setup, active-active or active-passive. If its active-passive, then the 'passive' firewall is not passing traffic so there is no netflow. If active-active, then the secondary PAN is passing traffic and should be sending netflow.

 

Hope this helps.

0 Likes Likes
  • 2734 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks