I have a PA-5220 and I am trying to configure a Netflow export out to my solarwinds server which is located at a remote site across a VPN tunnel.
I am aware that I cannot use the MGMT interface to export netwflow with this particular device, but I am not all that thrilled about using any of the other interfaces, nor do I want to create a whole new subnet just for this...
I currently setup another interface within the mgmt vlan that the MGMT ports also sit, but interestingly the Palo is complaining about duplicate IP conflict. That being said it functionally seems to be working out.
But due to the error messages this doesn't seem like the way to go. Just curious what the rest of you might be doing, maybe there is a more obvious solution to this I haven't picked up on... or maybe I can just kill the error messages.
In our case we are exporting Netflow on one of our internal layer 3 routed interfaces. We had to adjust the internal service route to accomidate this but it seems to work without issue. We do of course have the extra burden of netflow traffic on that internal interface, but its not an issue in our case as we have a 20G trunk.
Why cannot you use the management interface for your netflow export? We are and it works as expected. Check your 'Service Routes' config and it should tell you which interface is being used.
The management interface is not supported for Netflow export (even though its in the list) on the new PAN-5220 hardware. It has something to do with the way the traffic is processed by the dataplane in the new hardware that Netflow traffic is not sent to the management plane. It took a case with Palo Alto to determine this and the fix (as its not or wasn't documented at the time). On our new PAN-220 models, you can still export Netflow via the management interface like normal. I'm not sure about the newer PAN-800 and PAN-32xx models.
On the plus side, because Netflow is now processed differently, you can get exports from subinterfaces now as well, which apparently wasn't supported before (and the support engineer kept insiting that it still wasn't supported even though I was showing him flows in LiveNX).
Funny thing about this (and I would suggest reaching out to your account manager), it was less expensive for us to upgrade our PAN-5060 to PAN-5220 including subscriptions than it was to just renew the subscriptions on the older PAN-5060s. Food for thought.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!