How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How PA 5220 appliance sends netflow packet when configured in HA and Vsys Mode.

L1 Bithead

How PA 5220 appliance sends NetFlow packet when configured in HA and Vsys Mode. does the firewall find egress interface by looking into routing table for Netflow packets? If it is Yes, So why we need to change service route on PA 5220 appliance,

 

Secondly, As appliance in HA pair so it sends statistics about active firewall only ?? Also would like to know about how other PA firewall models sends NetFlow packets and what is the purpose of service route to these model as well.

3 REPLIES 3

L6 Presenter

huh?

 

I'm not really certain what you're asking and trying to have clarified.

 

 

It's my understanding that on the 5200 series platform the internal hardware was redesigned and changed how netflow is allowed out of the firewall.  As such a new separate interface for NF has to be utilized when wanting to send NF from the firewall.  (BTW this change actually created a critical bug in the 5200 and anything less than 8.0.8 will crash a 5200 sending NF.)

Currently, we have two PA 5220 appliance deployed in HA mode and would like to configure Netflow profile to monitor statistic. But as per the documentation we need to change the service route other than Management interface for 5200 and 7000 series appliance. So I have changed the service route with subinterface and resp IP where Netflow server is reachable as per routing table.

 

However, my question is that only active firewall sends NetFlow statistics to Netflow server as these are in HA pair... which command help me to show the statistics and packet sends to NetFlow successfully. As per my knowledge the below command shows the statistics on the 5220 appliance.

 

debug dataplane netflow statistics

 

 

 

 

 

 

 

 

 

 

 

 

Hello,

It depends on how your HA is setup, active-active or active-passive. If its active-passive, then the 'passive' firewall is not passing traffic so there is no netflow. If active-active, then the secondary PAN is passing traffic and should be sending netflow.

 

Hope this helps.

  • 2764 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!