Skip to main content
Version: Next

Application Enrichment — Palo Alto

note

Enriched fields produced by this configuration are applied and available in the Network Conversations Module output.

Palo Alto NGFW devices enrich flow records with App-ID and User-ID, the firewall's native layer-7 application classification and user attribution fields. This gives NFO named application visibility (e.g., salesforce, zoom, bittorrent) across all traffic, including sessions encrypted with SSL/TLS, without requiring a separate DPI infrastructure.

How It Works

Palo Alto firewalls perform application identification inline using the App-ID engine, which classifies traffic based on behavioral analysis, protocol decoding, and signature matching, regardless of port or encryption. Application and user data are exported as PAN-OS-specific fields within standard NetFlow v9 records.

To receive application data in NFO, the PAN-OS Field Types option must be enabled in the NetFlow server profile. Without it, the firewall exports standard flow fields only and application names are not included.

Prerequisites

  • PAN-OS: 8.0 or later recommended
  • App-ID: Enabled (default on all interfaces)
  • Network connectivity: Firewall must reach the NFO IP on the configured UDP port (default: 9996)
  • Note: NetFlow export is not supported on PA-4000 Series devices

Quick Configuration (GUI)

Palo Alto NetFlow is configured via the GUI in two steps.

Step 1 — Define a NetFlow server profile:

Navigate to Device > Server Profiles > NetFlow and add a new profile:

FieldRecommended value
Template Refresh Rate1 minute
Active Timeout1 minute
PAN-OS Field Types✅ Enable (required for App-ID and User-ID)
Server / Port<NFO_IP_ADDRESS> / 9996

Step 2 — Assign the profile to interfaces:

Navigate to Network > Interfaces > Ethernet, click each interface, and select the NetFlow profile from the NetFlow Profile dropdown.

Repeat Step 2 for all interfaces carrying traffic you want to monitor. For PA-7000 and PA-5200 Series firewalls, also configure a service route under Device > Setup > Services.

Reference Documentation