Topic
  • 9 replies
  • Latest Post - ‏2016-04-14T14:35:50Z by RajG-2016
networkingkool
networkingkool
7 Posts

Pinned topic Flow from Palo Alto Firewall not show any things usefull

‏2014-05-11T00:40:36Z |

Hi all,

We are collecting netFlow from Palo Alto Firewall, then in flow payload I just see some unuseful information. Please see my attachment.

DO I have to move to monitor by using SPAN port, instead?

Please advice!

  • Aaron_Breen(IBM)
    Aaron_Breen(IBM)
    13 Posts

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2014-05-11T21:47:48Z  

    Qradar accepts layer 7, netflow, jflow and Sflow. If Palo Alto is not based on one of these then it will not gather the proper data. Specifically for non content based types (like netflow) we have to read the flow and pull out IPs, Ports, Source & dst byte totals etc

    I would move ahead with a Span port

  • networkingkool
    networkingkool
    7 Posts

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2014-09-25T04:57:37Z  

    Qradar accepts layer 7, netflow, jflow and Sflow. If Palo Alto is not based on one of these then it will not gather the proper data. Specifically for non content based types (like netflow) we have to read the flow and pull out IPs, Ports, Source & dst byte totals etc

    I would move ahead with a Span port

    Hi Aaron,

    Palo Alto does supports layer 7 data in netflow record. In flow record, Palo Alto has an App ID field, this make administrator able to see the which application users are using. I read a document from Qradar named "IBM QRadar SIEM and Palo Alto Networks PA Series Firewall Integration", It said that Qradar can read the layer 7 data from Palo Alto netflow. But in my situation, Qradar cannot display any things usefull except IPs, Ports, Source & destination byte..

    Do I need to configure anything else to help my Qradar display such layer 7 data.

    Please advice me.

  • ChrisBrumfield
    ChrisBrumfield
    1 Post

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2014-10-27T23:33:50Z  

    Hi Aaron,

    Palo Alto does supports layer 7 data in netflow record. In flow record, Palo Alto has an App ID field, this make administrator able to see the which application users are using. I read a document from Qradar named "IBM QRadar SIEM and Palo Alto Networks PA Series Firewall Integration", It said that Qradar can read the layer 7 data from Palo Alto netflow. But in my situation, Qradar cannot display any things usefull except IPs, Ports, Source & destination byte..

    Do I need to configure anything else to help my Qradar display such layer 7 data.

    Please advice me.

    I have this same question - I read that document (dated 2012, attached) which said that the PAs export in Netflow v9.  It says (and I quote):

    • QRadar can receive and display Palo Alto Layer 7 data
    • PA outputs the data in Netflow v9
    • Customer would simply need to create a Netflow Flow source in Qradar (which listens on Port 2055
    • Configure their PA device to export the netflow records to Qradar
    • The flows appear in the QRadar Network Activity tab
    • These become a source for all of the flow based rules

    I'm looking for documentation on how this works.  The DSM guide only gives information about how to use Syslog, which we already use. 

    I haven't begun exporting the Netflow data, but intend to very soon, if I can find the support for it...

     

    Thanks,

    Chris

  • VBarahona
    VBarahona
    2 Posts

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2015-09-25T14:11:16Z  

    I have this same question - I read that document (dated 2012, attached) which said that the PAs export in Netflow v9.  It says (and I quote):

    • QRadar can receive and display Palo Alto Layer 7 data
    • PA outputs the data in Netflow v9
    • Customer would simply need to create a Netflow Flow source in Qradar (which listens on Port 2055
    • Configure their PA device to export the netflow records to Qradar
    • The flows appear in the QRadar Network Activity tab
    • These become a source for all of the flow based rules

    I'm looking for documentation on how this works.  The DSM guide only gives information about how to use Syslog, which we already use. 

    I haven't begun exporting the Netflow data, but intend to very soon, if I can find the support for it...

     

    Thanks,

    Chris

    Hi guys,

     

    we have the same issue here. PaloAlto sends netflow v9 and in two fields: AppID and UserID include Application and User of the flow. The fields names for AppID is Field_56701 and for UserID is Field_56702. The informations is code in a char (not numeric) and Qradar ignore this info and store a empty value.

     

    Ex.: This is a payload flow from qradar nework activity flow

    Field_233=1;DIRECTION=0;NF_F_CONN_ID=34336185;Field_56701=;Field_56702=;Field_346=25461;

     

    This hasn't change in PaloAlto since 4.x PANOS (>2years) but still no support for it. Qradar claims to support Paloalto devices as seen in this thread but is not. L7 Application info and User in flows are critical to give some sense to Network Activity and for Assets. As Qradar happy users we have been waiting for more than 2 years. PaloAlto is one of the leaders in Firewalls NG but sadly this lack of PaloAlto support for years it's making us look for other SIEMs solutions in the near future.

     

    Is there any roadmap for real support in PaloAlto netflow flows?

     

    Thank you.

  • pzamora
    pzamora
    1 Post

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2015-09-25T15:35:42Z  
    • VBarahona
    • ‏2015-09-25T14:11:16Z

    Hi guys,

     

    we have the same issue here. PaloAlto sends netflow v9 and in two fields: AppID and UserID include Application and User of the flow. The fields names for AppID is Field_56701 and for UserID is Field_56702. The informations is code in a char (not numeric) and Qradar ignore this info and store a empty value.

     

    Ex.: This is a payload flow from qradar nework activity flow

    Field_233=1;DIRECTION=0;NF_F_CONN_ID=34336185;Field_56701=;Field_56702=;Field_346=25461;

     

    This hasn't change in PaloAlto since 4.x PANOS (>2years) but still no support for it. Qradar claims to support Paloalto devices as seen in this thread but is not. L7 Application info and User in flows are critical to give some sense to Network Activity and for Assets. As Qradar happy users we have been waiting for more than 2 years. PaloAlto is one of the leaders in Firewalls NG but sadly this lack of PaloAlto support for years it's making us look for other SIEMs solutions in the near future.

     

    Is there any roadmap for real support in PaloAlto netflow flows?

     

    Thank you.

    I'm not getting anything in the payload, after following the following article.  https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/monitor-the-firewall-using-netflow.html

    I am getting netflow activity, just not the payload?  Any ideas.

  • VBarahona
    VBarahona
    2 Posts

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2015-09-25T16:49:37Z  
    • pzamora
    • ‏2015-09-25T15:35:42Z

    I'm not getting anything in the payload, after following the following article.  https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/monitor-the-firewall-using-netflow.html

    I am getting netflow activity, just not the payload?  Any ideas.

    Hi Phillip,

     

    sadly that 's the expected (but not the desired). The problem is that Qradar supports IPFIX data types (http://www.iana.org/assignments/ipfix/ipfix.xml) but is not supporting the enterprise fields of PaloAlto Netflow v9 Templates https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/140/1/Netflow-Fields-5.0-RevA.pdf

     

    That breaks real utility of netflow information from Paloalto devices into Qradar SIEM :-(

     

    Definitely support this feature is my wishlist

  • ulti
    ulti
    2 Posts

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2016-02-10T20:27:53Z  

    What ever happened to this? Did it get resolved? How are folks handing Palo devices now with respect to netflow? Or are they just forced to use syslog? Did Qradar ever fix itself to support netflow v9 templates?

  • ulti
    ulti
    2 Posts

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2016-02-22T21:45:00Z  
    • ulti
    • ‏2016-02-10T20:27:53Z

    What ever happened to this? Did it get resolved? How are folks handing Palo devices now with respect to netflow? Or are they just forced to use syslog? Did Qradar ever fix itself to support netflow v9 templates?

    Ping  @Jonathan.Pechta (IBM)

  • RajG-2016
    RajG-2016
    2 Posts

    Re: Flow from Palo Alto Firewall not show any things usefull

    ‏2016-04-14T14:35:50Z  

    From our experience it looks like QRadar can't handle netflow v9.  We are having same problem with PA and Cisco Nexus switches.

     

    Will IBM Qradar get their act together!!!

     

    It been 2 year people complaining and no reaction from IBM!

     

    How sad!!!