Using nProbe for Collecting Palo Alto Flows

Posted · Add Comment

nProbe is both a probe and a NetFlow/sFlow collector. As you all know, we have recently added the ability to collect flows with proprietary information elements. However we natively support in nProbe popular flow exporter devices such as Cisco NBAR and Palo Alto security devices. In this article we show you how to collect the latter flows in nProbe.

A typical Palo Alto flow is depicted below.

As explained in this document, the last two fields identified with Id 56701 and 56702 identify respectively the App-ID and User-ID. Typing ‘nprobe -H you can see all the information elements natively supported by the nProbe engine. As you can see

$ nprobe -H | grep -i Palo
[57899] %APPLICATION_NAME                                     Palo Alto App-Id
[57900] %USER_NAME                                            Palo Alto User-Id

the nProbe engine supports both proprietary  and we also the standard Post XXXX elements too. So in order to collect these flows on port 2055 and dump them on /flows in text format, you can use for instance the following command

nprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL  %POST_NAT_SRC_IPV4_ADDR %POST_NAT_DST_IPV4_ADDR   %POST_NAPT_DST_TRANSPORT_PORT %POST_NAPT_SRC_TRANSPORT_PORT %APPLICATION_ID %APPLICATION_NAME" -i none -n none -3 2055 -P /flows

A typical flow will look like

 

172.16.X.Y|X.X.X.X|500010000|8|42|19639|1524754795|1524754857|45829|7351|0|17|X.X.X.X|X.X.X.X|7351|52092|0|meraki-cloud-controller
Y.Y.Y.Y|11|500010000|0|0|1524754856|1524754856|123|19650|0|17|X.X.X.X|172.16.X.Y|123|123|0|ntp

Of course in addition to collection to a file, nProbe allows you to forward them to ntopng via ZMQ or export them to ElasticSearch and Kafka in JSON format.

Enjoy!