NOTE: This article is outdated. Please see “Collecting Proprietary Flows with nProbe” for learning how to collect proprietary Palo Alto flows.
nProbe is both a probe and a NetFlow/sFlow collector. As you all know, we have recently added the ability to collect flows with proprietary information elements. However we natively support in nProbe popular flow exporter devices such as Cisco NBAR and Palo Alto security devices. In this article we show you how to collect the latter flows in nProbe.
A typical Palo Alto flow is depicted below.
As explained in this document, the last two fields identified with Id 56701 and 56702 identify respectively the App-ID and User-ID. Typing ‘nprobe -H you can see all the information elements natively supported by the nProbe engine. As you can see
$ nprobe -H | grep -i Palo [57899] %APPLICATION_NAME Palo Alto App-Id [57900] %USER_NAME Palo Alto User-Id
the nProbe engine supports both proprietary and we also the standard Post XXXX elements too. So in order to collect these flows on port 2055 and dump them on /flows in text format, you can use for instance the following command
nprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %POST_NAT_SRC_IPV4_ADDR %POST_NAT_DST_IPV4_ADDR %POST_NAPT_DST_TRANSPORT_PORT %POST_NAPT_SRC_TRANSPORT_PORT %APPLICATION_ID %APPLICATION_NAME" -i none -n none -3 2055 -P /flows
A typical flow will look like
172.16.X.Y|X.X.X.X|500010000|8|42|19639|1524754795|1524754857|45829|7351|0|17|X.X.X.X|X.X.X.X|7351|52092|0|meraki-cloud-controller Y.Y.Y.Y|11|500010000|0|0|1524754856|1524754856|123|19650|0|17|X.X.X.X|172.16.X.Y|123|123|0|ntp
Of course in addition to collection to a file, nProbe allows you to forward them to ntopng via ZMQ or export them to ElasticSearch and Kafka in JSON format.
Enjoy!