Palo Alto Firewalls

[awysocki]

Have there been any successful implementations of Scrutinizer with a Palo Alto firewall (any type)? I'm testing the PA-500 reporting to 2055, but so far I don't see the device showing up as receiving flows. I still have a task to contact them first, but wanted to see if anyone had experience with it already.

Thanks,
Andrew

[pauld]

Hi Andrew,

We have a Palo Alto firewall replay going to our Scrutinizer server's that we use to test with, so yes we do have successful implementations out there.

My first question would be, are the flows from the firewall making it to the Scrutinizer server? If you take a packet capture on the Scrutinizer server do you see any NetFlow data coming from the firewall?

If you don't see any traffic, either the firewall is not configured properly or something on the network is preventing the flows from getting to the server.

If you do see traffic, on your Scrutinizer status page, search for the same IP address that you did in wireshark and you should see the interfaces show up. If the interfaces don't show up, let us know and we can continue to investigate.

Thanks,
Paul

[mpatters]

We added Palo Alto Networks support in Scrutinizer v9. We added reports for Users, Application and a bunch of NAT reports. The reports are pretty cool.
http://www.plixer.com/blog/netflow-anal ... w-support/ The folks at Palo Alto did a good job on the NetFlow implementation.

Mike

[awysocki]

I realized my error in the netflow configuration on the Palo Alto's, so I updated the destination IP, and Scrutinizer has noted 2 new exporters. The only problem, they don't show up in the ungrouped category under Status->Ungrouped. I see them as managed exporters (I was able to setup SNMP to read the information). When reviewing the device details, Scrutinizer contains the interfaces that are active.

At one point, I did see one of the PA's interfaces listed under an existing group. So I was able to select it and view the different templates that are offered (which I have to say are really nice) but without being able to access the devices directly, it's not so good. Shall I open a support ticket? I'm running 9.0.0.19081 of Scrutinizer and 4.1.2 of PAN OS. I'm looking forward to view from a scrutinizer perspective.

[scottr]

Hello Andrew,

So these new devices are not showing under ungrouped, but do under Admin Tab/Definitions/Manage Exporters?

Can you give me a call, or send me an email when you are available?

Scott

[jpjukola]

Hi, I am having exactly the same issue. I have Installed Palo Alto 2050 in our network and enabled Flow in the PA , We have a Scrutinizer 9.0.0.19081 with close to 50 devices currently. I van see the flows from Palo Alto reaching Scrutinizer and Palo Alto is shown in the Managed devices but do not show up in the actual Device explorer pages so can see any reports in Scrutinizer. Catually have the same problem with two HP Switches, those show up in Managed devices but not in the Device explorer..These are the first devices I have tried to add since upgrade to v.9.

JP Jukola

[pauld]

Hello JP,

Not seeing devices show up in the device explorer menu is an issue that effected some upgrades to v9.0.0. The first thing I recommend doing is upgrading to our v9.0.1.19899 release.

If you continue to experience problems, let us know and we would be glad to assist.

Thanks,
Paul

[thompmik]

So, based on this post I just upgraded to the latest release and I still have the same problem mentioned above. The PaloAlto firewall is sending flows and I can see the device in the managed devices but it is not showing up in the Device Explorer. I can search for it and it's interfaces show up. I'll call support.

[thompmik]

I upgraded to the latest release and my paloalto firewalls still don't show up in Device Explorer. They are sending flows and I can search for them and I can see them in the manage exporters and device details area.

[pauld]

Hello thompmik,

I see that we have a support case open with you on this. Let's get on a call to troubleshoot this issue and then I'll update this post with the resolution.

Thanks,
Paul

[thompmik]

I talked to support. they have V.9.5 in beta and it has "full support for the PaloAlto firewalls." Including a fix for this issue. They are going to contact me when it's available. I'll update once I get upgraded to 9.5.

[jpjukola]

Hi, After upgrade to latest released version I was able to create reports based on PaloAlto device even though it will not show up in device explorer, bad thing is clearly that I am not able to add PaloAlto to any maps but at least I can now see traffic and flows.

Noticed though that now need also to add some resources to Scrutinizer server as the PaloAlto flows are filling up by disk Need to do some finetuning ..

JP

[pauld]

Hi JP,

Would you like to test out the Palo Alto reporting in the v9.5.0 beta?

If you're interested, please send me an email, pauld@plixer.com, and we'll get you upgraded.

Thanks,
Paul