NetFlow not Working with Qradar

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NetFlow not Working with Qradar

L1 Bithead

Hello !

 

Im having issue with my netflow configuration on the PA5260 in HA mode.

 

I'm not receiving any log on my Qradar where as i have configure the netflow by following the https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJzCAK

The following Step have beeen done:

1. Netflow profil created

2. Profil applied on a subinterface

3. use of ae3 interface in a service route.

4. connectivite between ae3 interface and the Qradar

 

And my HA peer is not synchronize also even i try manuel config sync

 

The configuration is like something in below

 

show | match netflow
set deviceconfig system route service netflow source address 10.10.10.14/29
set deviceconfig system route service netflow source interface ae3.600
set network interface tunnel units tunnel.11 netflow-profile NetFlow_SOC_Qradar
set network interface tunnel units tunnel.14 netflow-profile NetFlow_SOC_Qradar
set shared server-profile netflow NetFlow_SOC_Qradar server Qradar host 1.1.1.1/24
set shared server-profile netflow NetFlow_SOC_Qradar server Qradar port 2055
set shared server-profile netflow NetFlow_SOC_Qradar template-refresh-rate minutes 1
set shared server-profile netflow NetFlow_SOC_Qradar template-refresh-rate packets 20
set shared server-profile netflow NetFlow_SOC_Qradar active-timeout 1
set shared server-profile netflow NetFlow_SOC_Qradar export-enterprise-fields no
set shared admin-role Monitor-full-access role device webui device server-profile netflow read-only

 

Thansk in advance for your help.

 

Best Regards

1 accepted solution

Accepted Solutions

L1 Bithead

Hello,

I found the solution. 

For the HA to remain synchronize, we need to set the service route manually on both platforms (active and passive) to be the same interface data (PA 52xx and PA 7xxx).

Once you complete  your netflow configuration on the active PA and you commit, the cluster (HA) will synchronize correctly.

Thanks;

View solution in original post

1 REPLY 1

L1 Bithead

Hello,

I found the solution. 

For the HA to remain synchronize, we need to set the service route manually on both platforms (active and passive) to be the same interface data (PA 52xx and PA 7xxx).

Once you complete  your netflow configuration on the active PA and you commit, the cluster (HA) will synchronize correctly.

Thanks;

  • 1 accepted solution
  • 1157 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!