How to enable flow on your Palo Alto firewall -- AuvikFlow (Kentik)


If you're collecting flow from multiple devices sharing the same public IP, you must configure chfagent to send flow to Kentik.

These instructions assume:

Access your Palo Alto web GUI

  1. Open a web browser and type in your Palo Alto IP address.
  2. Log into your firewall.

Create a NetFlow server profile

  1. Select Device > Server Profiles > NetFlow and click Add.
  2. Enter AuvikFlow as the name for the profile.
  3. Leave the default Template Refresh Rate to 30 minutes and 20 packets.
  4. For the Active Timeout, leave the default at 5 minutes.
  5. Select the checkbox for the PAN-OS Field Types.
  6. For each NetFlow collector section, click Add.
    1. Name: AuvikFlow
    2. Server:
    3. Port: 20013
  7. Click Okay to save the profile.

Assign the NetFlow server profile

The steps below specify a LAN interface for collecting NetFlow data. For a different interface, choose your desired interface in step 2.

  1. Select Network > Interfaces > Ethernet.
  2. Click a LAN interface to edit it.
  3. In the NetFlow Profile drop-down, select the AuvikFlow server profile.
  4. Click Okay and commit your changes.
