All Palo Alto Networks firewalls support NetFlow (Version 9) except the PA-4000 Series and PA-7000 Series firewalls. The firewalls support only unidirectional NetFlow, not bidirectional. The firewalls perform NetFlow processing on all IP packets on the interfaces and do not support sampled NetFlow. You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces.
To use a NetFlow collector for analyzing the network traffic on firewall interfaces, perform the following steps to configure NetFlow record exports.
Step 1 – Create a NetFlow server profile.
The profile defines which NetFlow collectors will receive the exported records and specifies export parameters.
1 – Select Device > Server Profiles > NetFlow and click Add.
2 – Enter a Name for the profile.
3 – Specify the rate at which the firewall refreshes NetFlow Templates in Minutes (default is 30) and Packets (exported records—default is 20). The firewall refreshes the templates after either threshold is passed.
4 – For the Active Timeout, specify the frequency in minutes at which the firewall exports records (default is 5).
5 – Select the PAN-OS Field Types check box if you want the firewall to export App-ID and User-ID fields.
6 – For each NetFlow collector (up to two per profile) that will receive fields, click Add and enter an identifying server Name, hostname or IP address ( NetFlow Server), and access Port 6343 (default is 2055).
7 – Click OK to save the profile.
Step 2 – Assign the NetFlow server profile to the interfaces that carry the traffic you want to analyze.
In this example, you assign the profile to an existing Ethernet interface.
1 – Select Network > Interfaces > Ethernet and click an interface name to edit it.
2 – In the NetFlow Profile drop-down, select the NetFlow server profile and click OK.
3 – Click Commit.
