Netflow is not working after upgrading to the 10.1.6-h6, is it something know issue in the 10.1.6-h6 PAN-OS version?
I have checked the NetFlow statics and seen that the firewall is sending the NetFlow log.
for reference, I am also attaching the TCP dump snapshot.
Can someone advice me please
I could not find any bug in release note that might have caused this. I had similar issue once before that was resolved by simply detaching NetFlow profile from interface, committing change and putting it back and committing again. Could you try this?
In addition to what @OtakarKlier said about verifying packet. If packets are being received at Qradar it may be that the Netflow source UniqueID sent by the PaloAlto may have changed when upgrading. Netflow receivers may use the source IP and/or the UniqueID (a 32bit unique source identifier) to match incoming packets to devices. You may have to re-associate the PaloAlto object in Qradar with its UniqueID.
I will check it and update you from the Qradar side after performing the TCP dump.
Meantime I have a question on the "Net flow Unique ID", as mentioned by the @Adrian_Jensen
In our case sender is the "PA" and receiver is the "Qradar", do I need to check the Unique ID on Qradar or our PA firewall.
Is there is any way I can check this unique ID on PA firewall.
Because we only did changes on PA firewall (upgradation) after that only issue arised.
You say the firewall is sending Netflow traffic. Are the Netflow packets being sent from the switch port connected to the Qradar?
If the packets are leaving the PaloAlto and being sent out the switch port connected to Qradar, then it seems like Qradar is not matching the incoming packets to the previous device profile. Sorry, I'm not familiar with exactly how Qradar is configured. But Netflow receivers generally have an "object" defined for the traffic source which is used to match inbound traffic to previously known devices. Can you try re-associating this object with the incoming packets?
The UniqueID sent by the PaloAlto is not something that can be changed. It is suppose to by a totally unique automatically created number in the Netflow source provider. That number may change it Netflow is sent from different interfaces or after major config changes - For instance, when I changed a bunch of Cisco routers to send Netflow from a management interface, instead of a routing interface, the UniqueID changed. I had to delete/recreate the source objects in Scrutinizer to match the new source IP/UniqueID pairing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!