Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
When you use a NetFlow collector (see NetFlow Monitoring) or SNMP manager (see SNMP Monitoring and Traps) to monitor the Palo Alto Networks firewall, an interface index (SNMP ifindex object) identifies the interface that carried a particular flow (see Figure: Interface Indexes in an SNMP Manager). In contrast, the firewall web interface uses interface names as identifiers (for example, ethernet1/1), not indexes. To understand which statistics that you see in a NetFlow collector or SNMP manager apply to which firewall interface, you must be able to match the interface indexes with interface names.
Figure: Interface Indexes in an SNMP Manager
You can match the indexes with names by understanding the formulas that the firewall uses to calculate indexes. The formulas vary by platform and interface type: physical or logical.
Physical interface indexes have a range of 1-9999, which the firewall calculates as follows:
Firewall Platform Calculation Example Interface Index
Non-chassis based: VM-Series, PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series The PA-4000 Series platform supports SNMP but not NetFlow. MGT port + physical port offset MGT port—This is a constant that depends on the platform: 2 for hardware-based firewalls (for example, the PA-5000 Series firewall) 1 for the VM-Series firewall Physical port offset—This is the physical port number. PA-5000 Series firewall, Eth1/4 = 2 (MGT port) + 4 (physical port) = 6
Chassis based: PA-7000 Series firewalls This platform supports SNMP but not NetFlow. (Max. ports * slot) + physical port offset + MGT port Maximum ports—This is a constant of 64. Slot—This is the chassis slot number of the network interface card. Physical port offset—This is the physical port number. MGT port—This is a constant of 5 for PA-7000 Series firewalls. PA-7000 Series firewall, Eth3/9 = [64 (max. ports) * 3 (slot)] + 9 (physical port) + 5 (MGT port) = 206
Logical interface indexes for all platforms are nine-digit numbers that the firewall calculates as follows:
Interface Type Range Digit 9 Digits 7-8 Digits 5-6 Digits 1-4 Example Interface Index
Layer 3 subinterface 101010001-199999999 Type: 1 Interface slot: 1-9 (01-09) Interface port: 1-9 (01-09) Subinterface: suffix 1-9999 (0001-9999) Eth1/5.22 = 100000000 (type) + 100000 (slot) + 50000 (port) + 22 (suffix) = 101050022
Layer 2 subinterface 101010001-199999999 Type: 1 Interface slot: 1-9 (01-09) Interface port: 1-9 (01-09) Subinterface: suffix 1-9999 (0001-9999) Eth2/3.6 = 100000000 (type) + 200000 (slot) + 30000 (port) + 6 (suffix) = 102030006
Vwire subinterface 101010001-199999999 Type: 1 Interface slot: 1-9 (01-09) Interface port: 1-9 (01-09) Subinterface: suffix 1-9999 (0001-9999) Eth4/2.312 = 100000000 (type) + 400000 (slot) + 20000 (port) + 312 (suffix) = 104020312
VLAN 200000001-200009999 Type: 2 00 00 VLAN suffix: 1-9999 (0001-9999) VLAN.55 = 200000000 (type) + 55 (suffix) = 200000055
Loopback 300000001-300009999 Type: 3 00 00 Loopback suffix: 1-9999 (0001-9999) Loopback.55 = 300000000 (type) + 55 (suffix) = 300000055
Tunnel 400000001-400009999 Type: 4 00 00 Tunnel suffix: 1-9999 (0001-9999) Tunnel.55 = 400000000 (type) + 55 (suffix) = 400000055
Aggregate group 500010001-500089999 Type: 5 00 AE suffix: 1-8 (01-08) Subinterface: suffix 1-9999 (0001-9999) AE5.99 = 500000000 (type) + 50000 (AE Suffix) + 99 (suffix) = 500050099

Related Documentation