Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

Hello @RoneyRajan123

I could not find any bug in release note that might have caused this. I had similar issue once before that was resolved by simply detaching NetFlow profile from interface, committing change and putting it back and committing again. Could you try this?

Kind Regards

Pavel

Thank you for your response, Pavel.

I tried it but there is no hope.

In the firewall, I could able to see Netflow statistics.

It is transmitting, however it is not receiving the Qradar server.

Issue started after the firewall upgradation.

Hello,

Is there a way to do a pcap on the Qradar to see if its getting the packets? Perhaps something between the devices is blocking/dropping the traffic?

Regards,

In addition to what @OtakarKlier said about verifying packet. If packets are being received at Qradar it may be that the Netflow source UniqueID sent by the PaloAlto may have changed when upgrading. Netflow receivers may use the source IP and/or the UniqueID (a 32bit unique source identifier) to match incoming packets to devices. You may have to re-associate the PaloAlto object in Qradar with its UniqueID.

Hi @Adrian_Jensen  @OtakarKlier Thank you so much for your advices.

I will check it and update you from the Qradar side after performing the TCP dump.

Meantime I have a question on the "Net flow Unique ID", as mentioned by the @Adrian_Jensen 

In our case sender is the "PA" and receiver is the "Qradar", do I need to check the Unique ID on Qradar or our PA firewall.

Is there is any way I can check this unique ID on PA firewall.

Because we only did changes on PA firewall (upgradation) after that only issue arised.

Hello,

I would just look on the Qradar and make sure the traffic is getting there. You shouldn't have to adjust the Unique ID.

Regards,

Hi @OtakarKlier @Adrian_Jensen 

The correction was there in between the firewall and Qradar, I have verified

however the NetFlow log is not receiving at Qradar after upgradation.

At firewall NetFlow logs is sending.

can anyone advice me more troubleshooting step. 

You say the firewall is sending Netflow traffic. Are the Netflow packets being sent from the switch port connected to the Qradar?

If the packets are leaving the PaloAlto and being sent out the switch port connected to Qradar, then it seems like Qradar is not matching the incoming packets to the previous device profile. Sorry, I'm not familiar with exactly how Qradar is configured. But Netflow receivers generally have an "object" defined for the traffic source which is used to match inbound traffic to previously known devices. Can you try re-associating this object with the incoming packets?

The UniqueID sent by the PaloAlto is not something that can be changed. It is suppose to by a totally unique automatically created number in the Netflow source provider. That number may change it Netflow is sent from different interfaces or after major config changes - For instance, when I changed a bunch of Cisco routers to send Netflow from a management interface, instead of a routing interface, the UniqueID changed. I had to delete/recreate the source objects in Scrutinizer to match the new source IP/UniqueID pairing.