Palo Alto NetFlow Configuration

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Palo Alto NetFlow Configuration

Today I’m covering the Palo Alto NetFlow Configuration steps.  This is a pretty straight forward two step process that is easy to complete and is supported on all Palo Alto firewalls except the PA-4000 series models.  

To set this up, login to your Palo Alto Networks firewall and click on the Device tab at the top, then on the left, under Server Profiles click on ‘NetFlow’.  An interface similar to the one below will appear.  Click on Add (Click 3) as shown in the window below.


Enter a Name at the top: Send-to-Scrutinizer.

Enter the Template Refresh Rate.   ; this tells the hardware to send the NetFlow v9 template every 60 seconds.  Without a template, the collector can’t decipher the incoming flows.
  • Minutes: 1
  • Packets: 20
Enter the Active Timeout (min): 1      ; this tells the hardware to export long lived flows every 60 seconds.  Most NetFlow Reporting solutions trend the data in 1 minute intervals.

Click on Add (Click 4) and then:
Enter the Name of the collector: ScrutinizerCollector
Enter the server IP address:   ;this is the IP address of the Scrutinizer NetFlow, sFlow and IPFIX collector
Enter the Port: 2055     ; this is the UDP port the NetFlow datagrams will be sent on to the collector.

Make sure you check off the “PAN-OS Field Types” because this sends the layer 7 application names.  This is important because without these details the NetFlow Reporting solution will be forced to identify applications by looking at the source and destination ports.  This can be very inaccurate as the Palo Alto Firewall performs Man In The Middle (see minute 4) SSL DPI where even applications hiding behind a HTTPS connection can be determined (e.g. Facebook, Google, etc.).  Palo is a smart because they can identify SSL regardless of the port and you’ll want this extra insight.  Checking this option off also exports the Username details which is nice to have associated with the IP Address.

Then click on the OK button.

Now comes the 2nd part of the Palo Alto NetFlow Support.  Click on the Network tab and then perform the following on each interface.  On this firewall we have 4 interfaces.


Click on the interface (Click 2) shown below. Select the NetFlow Profile from the drop down box that we created above: Send-to-Scrutinizer

Now enter a clever Comment: Primary NetFlow Collector

Click on the OK button and you are done! Within a couple of minutes you will see the flows coming into Scrutinizer.  You’ll notice that your Palo Alto firewall can export IPv4 and IPv6 details as well as information on NAT connections.

About Palo Alto Networks
I learned a bit more about this company by visiting their web site. Palo Alto claims that their “platform uniquely offers you the ability to identify, control, and safely enable applications while inspecting all content for all threats all the time.” They feel that “these capabilities, combined with superior performance, surpass all traditional approaches” and can “eliminate a variety of stand-alone and bolt-on security devices.” It goes on to say that their “platform can address a broad range of your network security requirements - from your datacenter to your enterprise perimeter, to the far edges of your network and more - including branch offices and mobile devices.”  


We are proud to be a Palo Alto Networks Partner. and the best of bread NetFlow reporting solution for their hardware.

Feedback for Palo Alto NetFlow Configuration

Leave a comment

Featured Events