Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0

Palo Alto Networks is showing further commitment to NetFlow Reporting by including a Firewall Event element in PAN-OS 5.0.  This new field will provide a few new advantages to Firewall Administrators.  These improvements to their NetFlow export can be seen in multiple ways:
The ability to trend flows Deleted, Created or Denied for example allows administrators to gain visibility into historical baselines on how the Next Generation Firewall traditionally treats traffic headed for the internet.

Palo Alto Networks Firewall Events

If an abnormal spike or drop occurs in the above trend, administrators can drill in to find out what machines were involved and which applications were being used at the time.  This data can also be bundled together with multiple firewalls to gain a more enterprise view of the corporate Internet behavior.

Administrators can use the above report to set thresholds on volumes of unacceptable 'denied' events.  If a host causes connections in a way that violates a threshold, unacceptable rates of denied violations can trigger events which lead to notifications. 

Palo Alto Networks Firewall Events By Host 
Administrators can also use the NetFlow Reporting solution to filter for a specific host which might be having trouble communicating through the Next Generation Firewall.  They can then run a Palo Alto Networks 'Events' report to find out what specifically is in the end systems traffic that is causing a "Flow Denied" event to occur.

Configuring a Palo Alto Networks Firewall to export NetFlow is straight forward process and the value gained is considerable.  Industry leading NetFlow features include:
  • Application Awareness: They use Deep Packet Inspection (DPI) to identify and separate applications that share ports such as TCP 80.
  • Username: If users have to authenticate with Active Director or LDAP, the firewall can tie the username to the flows.  This eases trouble shooting efforts during times of forensic analysis.
  • Network Address Translation: This can be a big time saver when trying to find out what an IP address was internally before it was NAT'ed by the firewall.
  • Firewall Event: The newest edition to their export provides the values outlined above.
  • Syslog Correlation with NetFlow: The message log exported by the firewall can be formatted into IPFIX and correlated with the NetFlow data to ensure speedy identification of potential attacks
Vendors recognize that Flow technology is a primary feature necessary to be a contender in the Next Generation Firewall space.  Clearly Palo Alto Networks understands which features matter most and has moved quickly to service the needs of their customer base and has partnered with Plixer to bring them to market.

The combined Plixer and Palo Alto solution also includes:
  • Host reputation monitoring
  • Enterprise application usage and performance monitoring
  • Mitigation of evolving threats
  • Audit trails of all internal and external traffic
  • The very best in network performance reporting
With thousands of customers, Scrutinizer plays a key role across global 2000 enterprises and governments.  Scrutinizer can detect zero-day types of malware including APT attacks.

Related Articles to 'Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0'
Cisco Wireless Controller NetFlow configuration
next generation firewalls apm
nimsoft service desk
Feedback for Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0

Leave a comment

Featured Events