• State Not Answered
  • Replies 2 replies
  • Subscribers 25 subscribers
  • Views 359 views
  • Users 0 members are here
Options
Related

Palo Alto NetFlow Source Interface Issue

hpstech

Trying to get NetFlow on 5020 and I believe I'm running into this issue -   (+) NTA Palo alto sflow issue - Forum - NetFlow Traffic Analyzer (NTA) - THWACK (solarwinds.com)  

Configure NetFlow Exports (paloaltonetworks.com)

I'm able to collect flow from the Interfaces as virtual, but its ugly when reviewing flow since the device receiving flow is "unknown" since SNMP monitoring is directed to the management plane and netflow is coming from the data plane, and we cannot monitor SNMP on the data plane.

How do people handle this situation?

  • 0

    Hi,

    If I am understanding this correctly then the data plane are the logical interfaces types like VLAN, Tunnels, subinterfaces and so on. Based on the page https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/firewall-interface-identifiers-in-snmp-managers-and-netflow-collectors the collector needs to decipher type of the interface directly from the interface index in the flows. Which NTA is not doing at the moment.

    Let me please know if I am wrong. Otherwise I think it would be best to open a ticket on support for further investigation.

  • 0

    Under Setup > Interfaces > _your_mgmt_interface_ > Network Services, make sure SNMP is checked.
    In the same window, make sure that the SolarWinds Platform polling server IP address is added in the Permitted section.

    Under Setup > Services > Services Features, if you have "Use Management Interface for all" in your Service Route Configuration, then no need to make any changes. However, if you have it set to custom, then you'll need to make sure that NetFlow is set to use default for both source and interface.

    Under Setup > Operations > Miscellaneous, make sure that SNMP is copnfigured

    Under Server Profiles > Netflow, make sure that the SolarWinds Platform poller that is receiving the flow is defined on port 2055, with 1 Minute refresh, 20 Packets, 1 minute timeout. We don't want PAN-OS field types.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 190,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab Link Accounts
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2021 SolarWinds Worldwide, LLC. All Rights Reserved.