Netflow export into IPsec tunnel...

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Netflow export into IPsec tunnel...

L2 Linker

I'm trying to get netflow to export through a vpn tunnel on my PA-VM V9.1 firewall. My route and policy into the tunnel for the target collector is working because I can ping the collector through the tunnel. So I figure I need to change the default service route for netflow, but I'm unable to specify any of the dataplane interfaces/addresses either in the UI or the CLI.

 

Any ideas?

5 REPLIES 5

Cyber Elite
Cyber Elite

@megrez80,

Can you share a screenshot of what you are seeing when you attempt to modify the service route? This should be as simple as specifying the follow CLI command or doing it in the GUI, there shouldn't be anything special you need.

set deviceconfig system route service netflow source interface <value> address <value>

 

Here's the result of my command:

 

admin@PA-VM# set deviceconfig system route service netflow source interface ethernet1/2 address 10.0.0.222

Server error : route -> service -> netflow -> source -> interface 'ethernet1/2' is not a valid reference
route -> service -> netflow -> source -> interface is invalid

the interface exists:

 

admin@PA-VM> show interface all

total configured hardware interfaces: 4

name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 auto/auto/up 0a:9d:bd:58:88:13
ethernet1/2 17 auto/auto/up 0a:24:dc:a2:f2:67
loopback 3 [n/a]/[n/a]/up ba:db:ee:fb:ad:03
tunnel 4 [n/a]/[n/a]/up ba:db:ee:fb:ad:04

 

 

@megrez80,

If you tab autocomplete when you are entering in that command, do you actually get the interface and the address to populate correctly? The main reason I ask is that the address doesn't appear to be correct, I would expect the full cidr notation. Not sure if you sanitized it and accidentally removed the CIDR or if you are hand typing the entire command.

 

You can attempt to modify the XML file and load it back into the firewall and see if it validates the configuration; the following would need to go under <deviceconfig>

 

          <route>
            <service>
              <entry name="autofocus">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="crl-status">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="deployments">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="dns">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="edl-updates">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="email">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="http">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="kerberos">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="ldap">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="mdm">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="mfa">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="netflow">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="ntp">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="paloalto-networks-services">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="panorama">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="proxy">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="radius">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="scep">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="snmp">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="syslog">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="tacplus">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="uid-agent">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="url-updates">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="vmmonitor">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
              <entry name="wildfire-private">
                <source>
                  <address>10.0.0.222/32</address>
                  <interface>ethernet1/2</interface>
                </source>
              </entry>
            </service>

 

You should have something that looks like this already within the deviceconfig section, just replace it with what is specified above and update the cidr notation to whatever you actually have configured. 

          <route>
            <service/>
	  </route>

 

Using autocomplete does not display any of the ethernet interfaces, only the loopback interface that I created (and tried to use).

 

I exported the running-config.xml file and modified it for the netflow service, but I'm getting an error trying to import it back in:

 

scp import configuration from myuser@myhost.mydom.com:mypath
myuser@myhost.mydom.com's password:
/tmp/cli.tmp.b2CqGy: Not a directory

 

An update:

 

I got the netflow into the tunnel using my loopback interface in the netflow service route configuration. I had initially not configured the loopback interface in a zone and using the virtual router. Once I did that, and moved my policy above all others, things started flowing.

 

It's still a mystery though why the ethernet interfaces don't show up in the UI or CLI when trying to configure a service route.

  • 4419 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!