- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-12-2020 01:21 PM
I'm trying to get netflow to export through a vpn tunnel on my PA-VM V9.1 firewall. My route and policy into the tunnel for the target collector is working because I can ping the collector through the tunnel. So I figure I need to change the default service route for netflow, but I'm unable to specify any of the dataplane interfaces/addresses either in the UI or the CLI.
Any ideas?
02-12-2020 02:47 PM
Can you share a screenshot of what you are seeing when you attempt to modify the service route? This should be as simple as specifying the follow CLI command or doing it in the GUI, there shouldn't be anything special you need.
set deviceconfig system route service netflow source interface <value> address <value>
02-12-2020 04:23 PM
Here's the result of my command:
admin@PA-VM# set deviceconfig system route service netflow source interface ethernet1/2 address 10.0.0.222
Server error : route -> service -> netflow -> source -> interface 'ethernet1/2' is not a valid reference
route -> service -> netflow -> source -> interface is invalid
the interface exists:
admin@PA-VM> show interface all
total configured hardware interfaces: 4
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 auto/auto/up 0a:9d:bd:58:88:13
ethernet1/2 17 auto/auto/up 0a:24:dc:a2:f2:67
loopback 3 [n/a]/[n/a]/up ba:db:ee:fb:ad:03
tunnel 4 [n/a]/[n/a]/up ba:db:ee:fb:ad:04
02-12-2020 06:44 PM
If you tab autocomplete when you are entering in that command, do you actually get the interface and the address to populate correctly? The main reason I ask is that the address doesn't appear to be correct, I would expect the full cidr notation. Not sure if you sanitized it and accidentally removed the CIDR or if you are hand typing the entire command.
You can attempt to modify the XML file and load it back into the firewall and see if it validates the configuration; the following would need to go under <deviceconfig>
<route>
<service>
<entry name="autofocus">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="crl-status">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="deployments">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="dns">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="edl-updates">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="email">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="http">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="kerberos">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="ldap">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="mdm">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="mfa">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="netflow">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="ntp">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="paloalto-networks-services">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="panorama">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="proxy">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="radius">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="scep">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="snmp">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="syslog">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="tacplus">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="uid-agent">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="url-updates">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="vmmonitor">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
<entry name="wildfire-private">
<source>
<address>10.0.0.222/32</address>
<interface>ethernet1/2</interface>
</source>
</entry>
</service>
You should have something that looks like this already within the deviceconfig section, just replace it with what is specified above and update the cidr notation to whatever you actually have configured.
<route>
<service/>
</route>
02-13-2020 05:44 AM
Using autocomplete does not display any of the ethernet interfaces, only the loopback interface that I created (and tried to use).
I exported the running-config.xml file and modified it for the netflow service, but I'm getting an error trying to import it back in:
scp import configuration from myuser@myhost.mydom.com:mypath
myuser@myhost.mydom.com's password:
/tmp/cli.tmp.b2CqGy: Not a directory
02-13-2020 08:03 AM
An update:
I got the netflow into the tunnel using my loopback interface in the netflow service route configuration. I had initially not configured the loopback interface in a zone and using the virtual router. Once I did that, and moved my policy above all others, things started flowing.
It's still a mystery though why the ethernet interfaces don't show up in the UI or CLI when trying to configure a service route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!