Help NetFlow Flow Export Configuration Palo Alto

Configuring Flow Exports on Palo Alto Devices

For NetFlow analysis, you need to configure your devices to export flows to Site24x7 On-Premise Poller, which is the NetFlow collector. The On-Premise Poller will be listening to the particular port to receive flows. Learn how to find the port number of your On-Premise Poller.

Perform the following steps to configure NetFlow record exports:

  1. Create a NetFlow server profile.
  2. Assign the NetFlow server profile to the interfaces that convey the traffic.
  3. Configure a service route for the interface that the firewall will use to send NetFlow records (Required for PA-7000 Series and PA-5200 Series firewalls).
  4. Commit your changes

Step 1: Create a NetFlow server profile.

This step defines Site24x7 as the NetFlow collector which will received the exported records. Follow the steps below:

  1. Log in to your Palo Alto device.
  2. Go to Device > Server Profiles > NetFlow and Add a profile.
  3. Name: Enter a name to identify the profile.
  4. Under Template Refresh Rate, specify the rate at which the device refreshes NetFlow Templates in Minutes (default is 30) and Packets (exported records—default is 20).
  5. Active Timeout: Specify the Active Timeout, which is the frequency in minutes at which the firewall exports records (default is 5).
  6. Check the box next to PAN-OS Field Types if you want the firewall to export App-ID and User-ID fields.
  7. Add NetFlow collector that will receive records by specifying the following:
  8. Click OK.

Step 2: Assign the NetFlow server profile to the interfaces that convey the traffic.

Once you have configured the NetFlow profile, the next step is to assign the profile to firewall interface

  1. Go to Network > Interfaces > Ethernet and click an interface name to edit it.
  2. Select the NetFlow server profile (NetFlow Profile) you configured and click OK.

Step 3: Configure a service route for the interface that the firewall will use to send NetFlow records (Required for PA-7000 Series and PA-5200 Series firewalls).

  1. Go to Device > Setup > Services.
  2. (Firewall with multiple virtual systems) Select one of the following:
    • Global: Select this if the service route applies to all virtual systems on the firewall.
    • Virtual Systems: Select this if the service route applies to a specific virtual system. Set the Location to the virtual system.
  3. Select Service Route Configuration and Customize.
  4. Select the protocol (IPv4 or IPv6) that the interface uses. You can configure the service route for both protocols if necessary.
  5. Click Netflow in the Service column.
  6. Select the Source Interface.
    Any, Use default, and MGT are not valid interface options for sending NetFlow records from PA-7000 Series or PA-5200 Series firewalls.
  7. Select a Source Address (IP address).
  8. Click OK twice to save your changes.

Step 4: Commit your changes.

Commit all your above changes

To troubleshoot NetFlow delivery issues, use the operational command-line interface (CLI) command
debug log-receiver netflow statistics

For more details, refer to Palo Alto's official documentation.

Was this document helpful?
Thanks for taking the time to share your feedback. We’ll use your feedback to improve our online help resources.

Help NetFlow Flow Export Configuration Palo Alto