Palo Alto Firewall NetFlow Integration with ThreatSync+ NDR

The Palo Alto Networks firewall uses the NetFlow protocol to export data about IP traffic that enters its interfaces and exports this data as NetFlow fields to a NetFlow collector. The NetFlow collector is a server used to collect network traffic and upload to ThreatSync+ NDR to analyze for security, administration, accounting, and troubleshooting.

WatchGuard provides integration instructions to help customers configure WatchGuard products to work with products created by other organizations. If you want more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This document describes how to integrate the Palo Alto Networks firewall with ThreatSync+ NDR with the NetFlow protocol.

Contents

• Palo Alto Firewall NetFlow Integration with ThreatSync+ NDR
  • Contents
  • Integration Summary
  • Topology
  • Configure the ThreatSync+ NDR Collection Agent
  • Configure the Palo Alto Firewall
    • Configure NetFlow Profile
    • Configure the Service Route Configuration
    • Assign the NetFlow Profile to the Interface
    • Commit the Configuration
  • Test the Integration

Topology

This diagram shows the integration topology of the Palo Alto Networks firewall and ThreatSync+ NDR.

Configure the ThreatSync+ NDR Collection Agent

Make sure the ThreatSync+ NDR Collection Agent is installed on your Windows or Linux computer, and the status of the collection agent is Success. For detailed instructions about the ThreatSync+ NDR Collection Agent installation, go to Configure Collection Agents for ThreatSync+ NDR (Windows Computers) or Configure Collection Agents for ThreatSync+ NDR (Linux Computers).

Configure the Palo Alto Firewall

Before you can configure Palo Alto NetFlow, configure these basic settings:

1. Log in to the Palo Alto Web UI at https://<IP address of the Palo Alto device>.
2. Configure the interfaces.
   



3. Configure the zones.
   



4. Configure the virtual router to the Internet.
   



5. Configure a Source Network Address Translation (SNAT).

For information about how to configure these settings, go to the Palo Alto documentation.

Configure NetFlow Profile

To configure your Palo Alto firewall as a NetFlow exporter:

1. From the navigation bar, select Device.
2. From the left navigation pane, select Server Profiles > NetFlow.
3. Click Add to add a new NetFlow profile.
   The NetFlow Server Profile dialog box opens.
4. In the Name text box, enter a descriptive name.
5. Click Add to add a new NetFlow Server.
6. In the Name text box, enter a name to identify the NetFlow Server.
7. In the NetFlow Server text box, enter the IP address of your ThreatSync+ NDR Collection Agent.
8. In the Port text box, enter 2055.


Keep the default value for other settings.

9. Click OK to save the profile.
   The profile is saved and appears in the list.

Configure the Service Route Configuration

The Palo Alto Firewall uses the management interface for all the service routes by default. This means the NetFlow records go through the management interface to your management network by default.

To change the default NetFlow service route:

1. From the navigation bar, select Device.
2. From the left navigation pane, select Setup > Services.
3. From the Services Features, select Service Route Configuration.
   The Service Route Configuration dialog box opens.
4. Select Customize.
5. Select the IPv4 tab.
6. Scroll down the table and click Netflow.
7. From the Source Interface drop-down list, select an interface that sends NetFlow records. For example, ethernet1/2. The default interface is MGT.
8. From the Source Address drop-down list, select a source IP address for NetFlow records.



9. Click OK to save the changes.

Assign the NetFlow Profile to the Interface

The NetFlow profile you created can be assigned to an existing interface, so that all traffic flowing through that interface is exported to the specified server described in the previous section. The interface that sends NetFlow records does not have to be the same as the interface that collects the records.

To assign the NetFlow profile to the interface:

1. From the navigation bar, select Network.
2. From the left navigation pane, select Interface.
3. Click the Interface you want to collect the NetFlow records for. For example, ethernet1/1.
   The Ethernet Interface dialog box opens.
4. From the Netflow Profile drop-down list, select the NetFlow profile you created.



5. Click OK to save the changes.
6. (Optional) Repeat Steps 3-5 to assign the NetFlow profile to other interfaces that you want to collect NetFlow records for.

Commit the Configuration

To commit your configuration changes:

1. From the upper-right corner, click Commit.
2. In the Commit dialog box, select Commit All Changes. Click Commit to commit your configuration.

Test the Integration

To test the Palo Alto Firewall integration with ThreatSync+ NDR:

1. Log in to your WatchGuard Cloud account.
2. Select Configure > ThreatSync+ Integrations > Collection Agents. If you have a Service Provider account, you must select an account from Account Manager.
3. Select the ThreatSync+ NDR Collection Agents tab to view the Last Activity column of your collection agent. This column shows the last time the collection agent uploaded the NetFlow records to ThreatSync+ NDR. It might take a few hours for the first upload.



4. From the navigation menu, select Monitor > ThreatSync+ to view the Network Summary page.

For more information about ThreatSync+, go to ThreatSync+.