Go with the NetFlow

What is NetFlow and How Can it Help Me Monitor Traffic?

Do you want to know how much traffic is flowing through your network, where it’s coming from and going to, and who is generating it?

Palo Alto Networks firewalls support NetFlow v9, an industry-standard protocol for exporting information about IP traffic flows as they enter or exit an interface. You can use this information to gain real-time situational awareness of all users, devices, and traffic in your network.

The firewall sends the flow information as NetFlow records to a NetFlow collector. A flow is a unidirectional sequence of packets that have common attributes such as ingress interface, source/destination IP address, IP protocol, source/destination port, and IP type of service. In the Palo Alto Networks implementation, the NetFlow records also include application names and usernames that the App-ID and User-ID features identify. The NetFlow collector processes the flow records to present traffic analysis in a user-friendly format. This traffic analysis enables you to discover patterns in bandwidth usage and device performance. It also helps you detect traffic anomalies so you can improve firewall policies to protect your network while allowing users to access useful applications.

For example, if users complain about slow or sporadic access to services, NetFlow can help you identify which users, endpoints, applications, and protocols use the most bandwidth and at what times. Identifying the top “talkers” and predicting spikes in activity can help you plan bandwidth expansion. If DoS or other attacks target your network, NetFlow can help you to detect these before they escalate and cause a network outage.

Using NetFlow is Easy!

To start using NetFlow to analyze traffic:

1. Define access to a NetFlow collector by configuring a NetFlow server profile.
2. Assign the profile to each firewall interface that carries the traffic you want to monitor.
3. Use the NetFlow collector to analyze the traffic.

For detailed configuration instructions and a list of supported NetFlow templates and fields, refer to NetFlow Monitoring in the PAN-OS 7.0 Administrator’s Guide.

Carl Mills

[Palo Alto Networks Blog]