These instructions assume:
- The date, time and time zone are correctly set on the firewall.
- You have administration access to the Palo Alto dashboard.
- The IP address of your Auvik collector is known.
If you have a shared collector and want to ensure that it receives netflow data to enable TrafficInsights, you will need to add the source IP address as a /32 in order for Auvik to register the flows from that specific address in the TrafficInsights portal. There may be some delay for the shared collector to receive the data after the change.
Note: Even if that source IP address is already being scanned, you must add a /32 targeting only the source IP address, due to some limitations, the collector can’t tell if it should be sent to site A or B.
Access the Palo Alto web interface
- Open a web browser and type in the IP address of the Palo Alto firewall.
- Log into your firewall.
Create a NetFlow server profile
- Select Device > Server Profiles > NetFlow and click Add.
- Enter TrafficInsights as the name for the profile.
- Set the default Template Refresh Rate to 5 minutes and 20 packets.
- For the Active Timeout, set the value at 1 minute.
- Select the checkbox for the PAN-OS Field Types.
- For each NetFlow collector section, click Add.
- Name: TrafficInsights
- Server: <Auvik Collector IP>
- Port: <2055, 2056, 4432, 4739, 6343, 9995 or 9996>
- Click Okay.
Assign the NetFlow server profile
The steps below specify a LAN interface for collecting NetFlow data. For a different interface, choose your desired interface in step 2.
- Select Network > Interfaces > Ethernet.
- Click a LAN interface to edit it.
- In the NetFlow Profile drop-down, select the TrafficInsights server profile.
- Click Okay.