Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Netflow is not working after upgrade to the 10.1.6-h6, is it somthing know issue in 10.1.6-h6 PAN OS version

L2 Linker

Netflow is not working after upgrading to the 10.1.6-h6, is it something know issue in the 10.1.6-h6 PAN-OS version?

Firewall- PA-3220

 

I have checked the NetFlow statics and seen that the firewall is sending the NetFlow log.

for reference, I am also attaching the TCP dump snapshot.

 

Can someone advice me pleasetcp.doc.jpeg

9 REPLIES 9

L2 Linker

Can someone please advise me on the above queries.

Cyber Elite
Cyber Elite

Hello @RoneyRajan123

 

I could not find any bug in release note that might have caused this. I had similar issue once before that was resolved by simply detaching NetFlow profile from interface, committing change and putting it back and committing again. Could you try this?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L2 Linker

Thank you for your response, Pavel.

 

I tried it but there is no hope.

In the firewall, I could able to see Netflow statistics.

It is transmitting, however it is not receiving the Qradar server.

 

Issue startedWhatsApp Image 2022-09-06 at 11.39.17 AM.jpeg after the firewall upgradation.

Cyber Elite
Cyber Elite

Hello,

Is there a way to do a pcap on the Qradar to see if its getting the packets? Perhaps something between the devices is blocking/dropping the traffic?

Regards,

L6 Presenter

In addition to what @OtakarKlier said about verifying packet. If packets are being received at Qradar it may be that the Netflow source UniqueID sent by the PaloAlto may have changed when upgrading. Netflow receivers may use the source IP and/or the UniqueID (a 32bit unique source identifier) to match incoming packets to devices. You may have to re-associate the PaloAlto object in Qradar with its UniqueID.

L2 Linker

Hi @Adrian_Jensen  @OtakarKlier Thank you so much for your advices.

 

I will check it and update you from the Qradar side after performing the TCP dump.

 

Meantime I have a question on the "Net flow Unique ID", as mentioned by the @Adrian_Jensen 

 

In our case sender is the "PA" and receiver is the "Qradar", do I need to check the Unique ID on Qradar or our PA firewall.

 

Is there is any way I can check this unique ID on PA firewall.

 

Because we only did changes on PA firewall (upgradation) after that only issue arised.

Cyber Elite
Cyber Elite

Hello,

I would just look on the Qradar and make sure the traffic is getting there. You shouldn't have to adjust the Unique ID.

Regards,

L2 Linker

Hi @OtakarKlier @Adrian_Jensen 

 

The correction was there in between the firewall and Qradar, I have verified

however the NetFlow log is not receiving at Qradar after upgradation.

 

At firewall NetFlow logs is sending.

can anyone advice me more troubleshooting step. 

L6 Presenter

You say the firewall is sending Netflow traffic. Are the Netflow packets being sent from the switch port connected to the Qradar?

 

If the packets are leaving the PaloAlto and being sent out the switch port connected to Qradar, then it seems like Qradar is not matching the incoming packets to the previous device profile. Sorry, I'm not familiar with exactly how Qradar is configured. But Netflow receivers generally have an "object" defined for the traffic source which is used to match inbound traffic to previously known devices. Can you try re-associating this object with the incoming packets?

 

The UniqueID sent by the PaloAlto is not something that can be changed. It is suppose to by a totally unique automatically created number in the Netflow source provider. That number may change it Netflow is sent from different interfaces or after major config changes - For instance, when I changed a bunch of Cisco routers to send Netflow from a management interface, instead of a routing interface, the UniqueID changed. I had to delete/recreate the source objects in Scrutinizer to match the new source IP/UniqueID pairing.

  • 2661 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!