Closed andressalesa closed 7 years ago
If I run nprobe with nProbe --zmq "tcp: // *: 5556" -V 9 -i -n none none --collector-port 2055 I don't see "Palo Alto extra fields" in info flow.
it looks like you didn't specify the fields in the nprobe template:
nProbe --zmq "tcp: // *: 5556" -V 9 -i -n none none --collector-port 2055
please add -T option with palo alto %APPLICATION_NAME
Hi,
As I said in my post I tested the command:
nProbe --zmq "tcp: // *: 5556" -V 9 -i -n none none --collector-port 2055 -T "IPV4_DST_ADDR%%% IPV4_SRC_ADDR IPV4_NEXT_HOP% INPUT_SNMP% OUTPUT_SNMP% IN_PKTS% IN_BYTES% FIRST_SWITCHED% LAST_SWITCHED% L4_SRC_PORT% L4_DST_PORT% tcp_flags% PROTOCOL% SRC_TOS% SRC_AS% DST_AS% IPV4_SRC_MASK% IPV4_DST_MASK% L7_PROTO% L7_PROTO_NAME %APPLICATION_NAME% USER_NAME "
I specified the fields % APPLICATION_NAME %USER_NAME
This is what causes that are not in Ntopng the flows that carry this information.
If I use this command:
nProbe --zmq "tcp: // *: 5556" -V 9 -i -n none none --collector-port 2055 -T "%APPLICATION_NAME" I see errors in console and does not show flows
If I open a host, flow, button info I don't see "extra" information.
I read in this link
http://www.netflowauditor.com/forum/viewtopic.php?f=67&t=140
that fields for default netflow v9 are
"%IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %INPUT_SNMP %OUTPUT_SNMP %IN_BYTES %IN_PKTS %SRC_TOS"
If I use
nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %INPUT_SNMP %OUTPUT_SNMP %IN_BYTES %IN_PKTS %SRC_TOS %L7_PROTO %L7_PROTO_NAME %USER_NAME %APPLICATION_NAME" -b 2
I see flows in console nprobe but anything in ntopng
In this url, Palo Alto explain that fields export to neflow
I created a template to gather this information and does not work either.
nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 -T "%IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %INPUT_SNMP %L4_DST_PORT %OUTPUT_SNMP %LAST_SWITCHED %IPV6_SRC_ADDR %IPV6_DST_ADDR %ICMP_TYPE %DIRECTION %FLOW_ID %APPLICATION_NAME %USER_NAME"
@andressalesa we made a fix in nprobe that may solve the issue https://github.com/ntop/nProbe/issues/127
please update ntopng and nprobe to the latest dev builds and reopen in necessary. thank you.
In the Palo Alto firewall can be configured to identify the user that making a request. It also has categorized applications.
According to manual these fields can be collected "%APPLICATION_NAME, % USER_NAME".
If I run the following statement
nProbe --zmq "tcp: // *: 5556" -V 9 -i -n none none --collector-port 2055 -T "IPV4_DST_ADDR%%% IPV4_SRC_ADDR IPV4_NEXT_HOP% INPUT_SNMP% OUTPUT_SNMP% IN_PKTS% IN_BYTES% FIRST_SWITCHED% LAST_SWITCHED% L4_SRC_PORT% L4_DST_PORT% tcp_flags% PROTOCOL% SRC_TOS% SRC_AS% DST_AS% IPV4_SRC_MASK% IPV4_DST_MASK% L7_PROTO% L7_PROTO_NAME% APPLICATION_NAME% USER_NAME "
I can see that these fields and they appears for the user networks. Palo Alto makes resolution names with Active Directory and gets %user_name.
But Ntopng not show these flows and therefore the networks where does this resolution.
For example in other programs with Scrutinizer if they are captured and displayed. It's possible.
NProbe version and ntopng are the latest available as of today in the Community version.
Thank you