What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Configure PRTG to read Palo Alto Netflow data?

Votes:

0

The Netflow data the Palo Alto PA-220 firewall is sending displays registered (external) IP addresses for internal computer Internet traffic.

How can I configure the Netflow probe to use whichever templates will provide us with the LAN IP addresses?

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/netflow-templates

Value Field Description Templates

225 postNATSourceIPv4Address The definition of this information element is identical to that of sourceIPv4Address, except that it reports a modified value that a NAT middlebox function caused after the packet passed the observation point . IPv4 with NAT standard IPv4 with NAT enterprise

226 postNATDestinationIPv4Address The definition of this information element is identical to that of destinationIPv4Address, except that it reports a modified value that a NAT middlebox function caused after the packet passed the observation point. IPv4 with NAT standard IPv4 with NAT enterprise

227 postNAPTSourceTransportPort The definition of this information element is identical to that of sourceTransportPort, except that it reports a modified value that a Network Address Port Translation (NAPT) middlebox function caused after the packet passed the observation point. IPv4 with NAT standard IPv4 with NAT enterprise

228 postNAPTDestinationTransportPort The definition of this information element is identical to that of destinationTransportPort, except that it reports a modified value that a Network Address Port Translation (NAPT) middlebox function caused after the packet passed the observation point.

netflow netflow-templates palo-alto-networks prtg

Created on Oct 31, 2017 3:39:36 AM



4 Replies

Votes:

0

Hello there,

I'm not fully sure I understand the issue. Regarding the templates, you don't have to configure anything in the sensor. The device will have to send the templates and the sensor will use them then to decode the flow data accordingly and it is not limited to use only one single template. You can verify this by using our NetFlow Tester. It will show you the received templates and the decoded flows while its running. Make sure to pause the flow sensors that use the same port, otherwise the tester cannot listen to the port for receiving flows.

Kind regards,.

Erhard

Created on Oct 31, 2017 3:42:11 PM by Erhard Mikulik [Paessler Support]



Votes:

0

I used the Netflow Tester (thanks!) and was able to see that the templates (below) are indeed now being received by on the computer running PRTG.

I'm using a NetFlow V9 (Custom) sensor as I hoped it would let me see/configure it for some of the enterprise-specific info as described below. My Google-Fu is failing me as I attempt to find PRTG Configuration Guides on how to configure the/any NetFlow sensor to automatically extract the APP and USER info from those templates. Is there one to be found?

Overview PAN-OS can generate and export Netflow Version 9 records with unidirectional IP traffic flow information to an outside collector. Netflow export can be enabled on any ingress interface in the system. Separate template records are defined for IPv4, IPv4 with NAT, and IPv6 traffic, and PAN-OS specific (enterprise specific) fields for App-ID and User-ID can be optionally exported. This feature is available on all platforms, except the PA-4000 Series. For more information about Netflow, refer to the Palo Alto Networks Administrator’s Guide.

The following tables provide the details of the templates supported including the values, field types, and descriptions for all the elements in the templates. Templates listed as “Enterprise” include all the field types of the corresponding “Standard” template, and [Enterprise] additionally include PAN-OS specific fields for App-ID and User-ID. • IPv4 Traffic Templates o Template ID 257 – IPv4 Enterprise o Template ID 261 – IPv4 with NAT Enterprise Source: https://live.paloaltonetworks.com/t5/Tech-Note-Articles/PAN-OS-Netflow-Templates-and-Field-Types-PAN-OS-5-0/ta-p/54223

Created on Feb 5, 2018 9:55:03 PM



Votes:

0

I replied (provided more info, and asked different questions) to this yesterday - is it waiting on a moderator to review?

Created on Feb 6, 2018 4:26:58 PM



Votes:

0

Hi there,

Yes, sorry it took a little longer. The PRTG Netflow sensors are not supporting custom fields, only the standard ones. So reading PAN-OS fields in transmitted flows is not possible I'm afraid.

Kind regards,

Erhard

Created on Feb 6, 2018 5:04:17 PM by Erhard Mikulik [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.