Check Point GAiA Gateway Security Appliance: Using NetFlow for Network Security Forensics

Check Point GAiA is the next generation Secure Operating System for all Check Point Appliances, Open Servers and Virtualized Gateways, and it offers an option for NetFlow configuration.

Check Point GAiA combines the best features from IPSO and SecurePlatform into a single unified OS providing greater efficiency and robust performance.

As a vendor, Check Point Firewalls consistently rank at the top among firewall vendors in the Gartner Magic Quadrant for Enterprise Firewalls. Check Point is one of many next generation firewalls offering NetFlow Reporting.

Just as you have been able to do on Check Point firewalls since IPSO version 6.2, you can configure Check Point GAiA to export flow records using either NetFlow Versions 5 or 9. All of the traffic that is accelerated by SecureXL can be monitored and exported using NetFlow.

A couple of other notes of interest related to the NetFlow configuration.

  • If SecureXL is not enabled or not working, NetFlow packets are not sent.
  • The IP addresses and TCP/UDP ports reported by NetFlow are the ones on which it expects to receive traffic. Therefore, for NATted connections, one of the two directions of flow is reported with the NATed address.
  • NetFlow sends the connection records after the connections have terminated. If the system is idle or the connections are long-lasting, you may have to wait to see NetFlow packets.

Check Point Gaia NetFlow configuration exports values for the following fields:

  •     Source IP address
  •     Destination IP address
  •     Source port
  •     Destination port
  •     Ingress physical interface index (defined by SNMP)
  •     Egress physical interface index (defined by SNMP)
  •     Packet count for this flow
  •     Byte count for this flow
  •     Start of flow timestamp (FIRST_SWITCHED)
  •     End of flow timestamp (LAST_SWITCHED)
  •     IP protocol number
  •     TCP flags from the flow (TCP only).

Check Point GAiA NetFlow configuration using the WebUI:

  1. Open the Network Management > NetFlow Export page of the WebUI.
  2. Click Add.
  3. Enter the required data for each collector from the table below:

[table id=16 /]

NetFlow and IPFIX are great for knowing the who, whats, and whens that make up your network traffic. Today using flow technologies to monitor communication behaviors and even maintaining baselines is becoming more relevant. By collecting flows representing all of the conversations traversing the network, you gain visibility into suspect conversations coming in and out of your network as well as moving laterally inside. When the signatures in the IDS/IPS fail to catch malware, NetFlow and IPFIX can sometimes recognize enough odd behaviors to identify an infection. Collecting flows from all of the firewalls, routers, and switches on your network essentially turns each device into a security probe and provides a great security add.

Majority of Next Generation Firewall vendors are now incorporating NetFlow analysis in their solution. Learn how you can leverage NetFlow and IPFIX to detect advanced persistent threats and provide a total security solution.

 

 

 

Scott

Scott

Scott provides Pre Sales Technical Support to the Sales team at Plixer. Scott comes from a technical support background, having years of experience doing everything from customer account management to system programming. Some of his interests include coaching youth sports programs here in Sanford, playing drums and guitar in local jam bands, and playing in neighborhood lawn dart tournaments.

Related