NetFlow Monitoring
NetFlow is an industry-standard protocol that the firewall can use to export statistics about the IP traffic that traverses its interfaces. The firewall exports the statistics as NetFlow fields to a NetFlow collector. The NetFlow collector is a server you use to analyze network traffic for security, administration, accounting and troubleshooting. All Palo Alto Networks firewalls support NetFlow (Version 9) except the PA-4000 Series and PA-7000 Series firewalls. The firewalls support only unidirectional NetFlow, not bidirectional. The firewalls perform NetFlow processing on all IP packets on the interfaces and do not support sampled NetFlow. You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. For aggregate Ethernet interfaces, you can export records for the aggregate group but not for individual interfaces within the group. To identify firewall interfaces in a NetFlow collector, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors. The firewall supports standard and enterprise (PAN-OS specific) NetFlow Templates, which NetFlow collectors use to decipher the NetFlow fields.
Configure NetFlow Exports
To use a NetFlow collector for analyzing the network traffic on firewall interfaces, perform the following steps to configure NetFlow record exports.
Configure NetFlow Exports
Create a NetFlow server profile. The profile defines which NetFlow collectors will receive the exported records and specifies export parameters. Select Device > Server Profiles > NetFlow and click Add. Enter a Name for the profile. Specify the rate at which the firewall refreshes NetFlow Templates in Minutes (default is 30) and Packets (exported records—default is 20), according to the requirements of your NetFlow collector. The firewall refreshes the templates after either threshold is passed. For the Active Timeout, specify the frequency in minutes at which the firewall exports records (default is 5). Select the PAN-OS Field Types check box if you want the firewall to export App-ID and User-ID fields. For each NetFlow collector (up to two per profile) that will receive fields, click Add and enter an identifying server Name, hostname or IP address ( NetFlow Server), and access Port (default is 2055). Click OK to save the profile.
Assign the NetFlow server profile to the interfaces that carry the traffic you want to analyze. In this example, you assign the profile to an existing Ethernet interface. Select Network > Interfaces > Ethernet and click an interface name to edit it. You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. For aggregate Ethernet interfaces, you can export records for the aggregate group but not for individual interfaces within the group. In the NetFlow Profile drop-down, select the NetFlow server profile and click OK. Click Commit.
Monitor the firewall traffic in a NetFlow collector. Refer to the documentation for your NetFlow collector. When monitoring statistics, you must match the interface indexes in the NetFlow collector with interface names in the firewall web interface. For details, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors.
NetFlow Templates
NetFlow collectors use templates to decipher the fields that the firewall exports. The firewall selects a template based on the type of exported data: IPv4 or IPv6 traffic, with or without NAT, and with standard or enterprise-specific (PAN-OS specific) fields. The firewall periodically refreshes templates to re-evaluate which one to use (in case the type of exported data changes) and to apply any changes to the fields in the selected template. When you Configure NetFlow Exports, set the refresh rate based on a time interval and a number of exported records according to the requirements of your NetFlow collector. The firewall refreshes the templates after either threshold is passed.
The Palo Alto Networks firewall supports the following NetFlow templates:
Template ID
IPv4 Standard 256
IPv4 Enterprise 257
IPv6 Standard 258
IPv6 Enterprise 259
IPv4 with NAT Standard 260
IPv4 with NAT Enterprise 261
IPv6 with NAT Standard 262
IPv6 with NAT Enterprise 263
The following table lists the NetFlow fields that the firewall can send, along with the templates that define them:
Value Field Description Templates
1 IN_BYTES Incoming counter with length N * 8 bits for the number of bytes associated with an IP flow. By default, N is 4. All templates
2 IN_PKTS Incoming counter with length N * 8 bits for the number of packets associated with an IP glow. By default, N is 4. All templates
4 PROTOCOL IP protocol byte. All templates
5 TOS Type of Service byte setting when entering the ingress interface. All templates
6 TCP_FLAGS Total of all the TCP flags in this flow. All templates
7 L4_SRC_PORT TCP/UDP source port number (for example, FTP, Telnet, or equivalent). All templates
8 IPV4_SRC_ADDR IPv4 source address. IPv4 standard IPv4 enterprise IPv4 with NAT standard IPv4 with NAT enterprise
10 INPUT_SNMP Input interface index. The value length is 2 bytes by default, but higher values are possible. For details on how Palo Alto Networks firewalls generate interface indexes, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors. All templates
11 L4_DST_PORT TCP/UDP destination port number (for example, FTP, Telnet, or equivalent). All templates
12 IPV4_DST_ADDR IPv4 destination address. IPv4 standard IPv4 enterprise IPv4 with NAT standard IPv4 with NAT enterprise
14 OUTPUT_SNMP Output interface index. The value length is 2 bytes by default, but higher values are possible. For details on how Palo Alto Networks firewalls generate interface indexes, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors. All templates
21 LAST_SWITCHED System uptime in milliseconds when the last packet of this flow was switched. All templates
22 FIRST_SWITCHED System uptime in milliseconds when the first packet of this flow was switched. All templates
27 IPV6_SRC_ADDR IPv6 source address. IPv6 standard IPv6 enterprise IPv6 with NAT standard IPv6 with NAT enterprise
28 IPV6_DST_ADDR IPv6 destination address. IPv6 standard IPv6 enterprise IPv6 with NAT standard IPv6 with NAT enterprise
32 ICMP_TYPE Internet Control Message Protocol (ICMP) packet type. This is reported as: ICMP Type * 256 + ICMP code All templates
61 DIRECTION Flow direction: 0 = ingress 1 = egress All templates
148 flowId An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. All templates
233 firewallEvent Indicates a firewall event: 0 = Ignore (invalid)—Not used. 1 = Flow created—The NetFlow data record is for a new flow. 2 = Flow deleted—The NetFlow data record is for the end of a flow. 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied. 4 = Flow alert—Not used. 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile. All templates
225 postNATSourceIPv4Address The definition of this information element is identical to that of sourceIPv4Address, except that it reports a modified value that the firewall produced during network address translation after the packet traversed the interface. IPv4 with NAT standard IPv4 with NAT enterprise
226 postNATDestinationIPv4Address The definition of this information element is identical to that of destinationIPv4Address, except that it reports a modified value that the firewall produced during network address translation after the packet traversed the interface. IPv4 with NAT standard IPv4 with NAT enterprise
227 postNAPTSourceTransportPort The definition of this information element is identical to that of sourceTransportPort, except that it reports a modified value that the firewall produced during network address port translation after the packet traversed the interface. IPv4 with NAT standard IPv4 with NAT enterprise
228 postNAPTDestinationTransportPort The definition of this information element is identical to that of destinationTransportPort, except that it reports a modified value that the firewall produced during network address port translation after the packet traversed the interface. IPv4 with NAT standard IPv4 with NAT enterprise
281 postNATSourceIPv6Address The definition of this information element is identical to the definition of information element sourceIPv6Address, except that it reports a modified value that the firewall produced during NAT64 network address translation after the packet traversed the interface. See RFC 2460 for the definition of the source address field in the IPv6 header. See RFC 6146 for NAT64 specification. IPv6 with NAT standard IPv6 with NAT enterprise
282 postNATDestinationIPv6Address The definition of this information element is identical to the definition of information element destinationIPv6Address, except that it reports a modified value that the firewall produced during NAT64 network address translation after the packet traversed the interface. See RFC 2460 for the definition of the destination address field in the IPv6 header. See RFC 6146 for NAT64 specification. IPv6 with NAT standard IPv6 with NAT enterprise
346 privateEnterpriseNumber This is a unique private enterprise number that identifies Palo Alto Networks: 25461. IPv4 enterprise IPv4 with NAT enterprise IPv6 enterprise IPv6 with NAT enterprise
56701 App-ID The name of an application that App-ID identified. The name can be up to 32 bytes. IPv4 enterprise IPv4 with NAT enterprise IPv6 enterprise IPv6 with NAT enterprise
56702 User-ID A username that User-ID identified. The name can be up to 64 bytes. IPv4 enterprise IPv4 with NAT enterprise IPv6 enterprise IPv6 with NAT enterprise

Related Documentation