Netflow panos 4.1.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Netflow panos 4.1.0

L3 Networker

I configured Netflow on OS 4.1.0,

for testing reasing i started with 2 interfaces...but in ManageEngine NetFlow Analyzer I get 3 interfaces!?!?

I tried to identify the interfaces but when I look on the traffic showing up then I'm pretty confused...the traffic showing up is not from a interface I configured for netflow.

Is that possible?

7 REPLIES 7

L6 Presenter

If you post your Netflow configuration screens (or the relevant sections of your configuration file) to this thread we could see if you have mis-configured anything.

But this does not sound like correct behavior.

-Benjamin

Well there isn't much I could do wrong:

Thats what is comming up in ManageEngine NetFlow Analyzer 9

A other Problem I noticed is that if you commit the config this happens:

tcpdump dst port 9995
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:35:13.666174 IP 10.122.13.190.41191 > stechsv122.ch.sterianet.palace-4: UDP, length 544
09:35:19.072226 IP 10.122.13.190.41191 > stechsv122.ch.sterianet.palace-4: UDP, length 1318
09:35:19.615405 IP 10.122.13.190.41191 > stechsv122.ch.sterianet.palace-4: UDP, length 1318
09:35:20.278172 IP 10.122.13.190.41191 > stechsv122.ch.sterianet.palace-4: UDP, length 1318

This 4 packets comes trough, then nothing more. Now you need to go to the session browser and kill the flow. Then it works like it should. My rule for the netflow is just a app rule with netflow.

Just to make it clear...I only configured one interface not 3! But NetFlow9 shows me 3 Interfaces.

I get same - one int tagged for netflow, but 5 or 6 ints show up in ManageEngine Netflow - we're running 4.1.1, and same issue on several PAs (2020, 2050).

We are using scrutinizer and can happily inform you that every interface pops up correctly showing the exact interface name.

We were amazed by the ammount of info available..  @PAN: GOOD WORK!!!!!!!

Now from a different perspective i would like to know at what datarate the PA is capable of generating flow info.. Is there any info on this?

Cheers

Bas

I noticed in your screen capture that your ManageEngine application is showing the IP for the PA.  Did you override that, or is that what appeared automatically?

When I added our PA to Manageengine, it pulled a different name for our PA.

I have the same thing on a PA-5050.  I added the Netflow profile to one interface, and four showed up in Manageengine.

Were you able to get Manageengine to show the correct interface name?  Ours looks like yours as well with the strange interface names.  I also can't get ours to pull the host name.

  • 4060 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!