06-29-2023 01:02 AM
Hello!
When we apply a Netflow profile to an interface, does it capture the ingress, egress or both flows?
If we apply the same profile to the Inside and the Outside interface, and we have a flow which passes both of them, will we send duplicated information about this flow to the remote Netflow Analyzer?
Thank you!
06-29-2023 05:11 AM
Hi @ichakarov ,
You can use it to export statistics about the IP traffic ingressing the interfaces.
All Palo Alto Networks firewalls support NetFlow Version 9. The firewalls support only unidirectional NetFlow, not bidirectional.
Source: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/netflow-monitoring
Kind regards,
-Kim.
06-29-2023 05:11 AM
Hi @ichakarov ,
You can use it to export statistics about the IP traffic ingressing the interfaces.
All Palo Alto Networks firewalls support NetFlow Version 9. The firewalls support only unidirectional NetFlow, not bidirectional.
Source: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/netflow-monitoring
Kind regards,
-Kim.
06-30-2023 02:39 AM
Hello !
Im having issue with my netflow configuration on the PA5260.
I'm not receiving any log on my Qradar where as i have configure the netflow by following the https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJzCAK
The following Step have beeen done:
1. Netflow profil created
2. Profil applied on a subinterface
3. use of ae3 interface in a service route.
4. connectivite between ae3 interface and the Qradar
Thansk in advance for your help.
Best Regards
06-30-2023 02:44 AM
Hello,
bellow is my netflow config
show | match netflow
set deviceconfig system route service netflow source address 10.10.10.14/29
set deviceconfig system route service netflow source interface ae3.600
set network interface tunnel units tunnel.11 netflow-profile NetFlow_SOC_Qradar
set network interface tunnel units tunnel.14 netflow-profile NetFlow_SOC_Qradar
set shared server-profile netflow NetFlow_SOC_Qradar server Qradar host 1.1.1.1/24
set shared server-profile netflow NetFlow_SOC_Qradar server Qradar port 2055
set shared server-profile netflow NetFlow_SOC_Qradar template-refresh-rate minutes 1
set shared server-profile netflow NetFlow_SOC_Qradar template-refresh-rate packets 20
set shared server-profile netflow NetFlow_SOC_Qradar active-timeout 1
set shared server-profile netflow NetFlow_SOC_Qradar export-enterprise-fields no
set shared admin-role Monitor-full-access role device webui device server-profile netflow read-only
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
