Using Palo Alto IPFIX for App_ID in GigaFlow

configuring Palo Alto FW’s to export IPFIX to GigaFlow and using the App_ID field that does “sub-application” lookup which they pay a service to perform.  You will see directly below how it will breakdown all types of traffic, Facebook being one, where it’ll show FB video, FB base, FB wall post, FB messenger, etc…

Here are the configurations in the Palo Alto for the IPFIX exports to correctly export to GigaFlow:

Flow Exports - Configure IPFIX exports on Palo Alto devices.

Step 1:  Create a NetFlow server profile.

• Select Device Server Profiles NetFlow and click Add
• Enter a Name for the profile (name it XXX-NetFlow-Collectors)
• Specify the rate at which the firewall refreshes NetFlow Templates in Minutes (change to 10) and Packets (exported records—keep default at 20)
• For the Active Timeout, specify the frequency in minutes at which the firewall exports records (change to 1).
• Select the PAN-OS Field Types check the box to export App-ID and User-ID fields.
• For each NetFlow collector that will receive fields, click Add and enter an identifying GigaFlow,

enter GigaFlow IP address, and access Port (keep default as 2055).

• Click OK to save the profile.

Step 2.  Assign the NetFlow server profile (XXX-NetFlow-Collectors) to the interfaces that carry the traffic you want to analyze.  (Select the Loopback interface to carry the traffic).

• Select Network Interfaces (Loopback) and click an interface name (Loopback) to edit it.

You can export NetFlow records for Layer 3, Layer 2, etc..  (Choose only to export Layer 3 traffic)

• In the NetFlow Profile drop-down, select the NetFlow server profile (Carnival-NetFlow-Collectors) and click OK
• Then Click Commit