Blog :: Netflow :: NetFlow Analyzer

NetFlow from a Checkpoint Firewall

I wonder how many firewalls (IP Security Appliances) have been sold to date.  Since we have been in business, we have purchased 4. I can’t imagine a company being attached to the internet without one.

Currently we have both a SonicWALL and a Cisco ASA.   It is great to see that some firewalls such as the Cisco ASA, Fortinet  and Checkpoint are now supporting NetFlow. 

I would like to see Watchguard and NetStream support it, but I couldn’t find anything on the internet referencing their support for NetFlow. Hopefully they are considering it.  Most vendors now are supporting either netflow or sflow.

I found in the Checkpoint IPSO 6.2 Reference Guide how to configure NetFlow.  If you click on the above link, on the left, click on “Traffic management commands” and then click on “NetFlow Commands” you can follow the directions to enable NetFlow (p. 462).  It was nice to see that it supports NetFlow v5 and NetFlow v9 as well as the active and inactive timeout functions.
Checkpoint Netflow Commands
You can use the Netflow support in IPSO to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network “flows.” A flow is a unidirectional stream of packets that share a given set of characteristics. Use the following commands to configure Netflow services.

set netflow

  •  active-timeout seconds
  • collector ip ip_address port port_number
  • enable-acl <on | off>
  • enable-flows <on | off>
  • export-format <Netflow_V5 | Netflow_V9 | None>
  • inactive-timeout seconds
  • srcaddr ip_address

show netflow

  • all
  • active-timeout
  • collector
  • enable-acl
  • enable-flows
  • export-format
  • inactive-timeout
  • srcaddr


Active-timeout seconds Specifies the number of seconds after which IPSO should export a record for a flow when the flow is still active.

collector ip ip_address port port_number Specifies the IP address and port number of the Netflow collector.

enable-acl <on | off> Enables or disables ACL metering mode. If you use this mode, you define flows by configuring ACL rules. All the traffic that matches a rule is exported in one flow record.

enable-flows <on | off> Enables or disables flow metering mode. If you use this mode, a flow is any sequence of packets that share

• Source and destination IP addresses
• Source and destination port numbers
IP protocol IPSO exports each flow in an individual flow record

export-format <Netflow_V5 | Netflow_ V9 |None> Specifies the format of the export flow records. This format must be supported by the flow collector.

inactive-timeout seconds Specifies the number of seconds to wait while a flow is inactive (no traffic) but has not been terminated. If the specified number of seconds elapses, IPSO exports a record for the flow.

srcaddr ip_address Specifies the source (local) IP address to be used in export records. If this is not configured, the address is chosen based on the route to the collector’s address.

If you have a Checkpoint firewall, give us a call if you need help setting it up.  Also, we are looking for a packet capture from one of these if you can take a few minutes to send us one. We want to test it against our NetFlow collector and our NetFlow Analyzer reporting.

April 2012 Update: Barracuda, Cisco ASA, Palo Alto Networks and SonicWALL all support NetFlow (or IPFIX) exports.