I wonder how many firewalls (IP Security Appliances) have been sold to date. Since we have been in business, we have purchased 4. I can’t imagine a company being attached to the internet without one.
Currently we have both a SonicWALL and a Cisco ASA. It is great to see that some firewalls such as the Cisco ASA, Fortinet and Checkpoint are now supporting NetFlow.
I would like to see Watchguard and NetStream support it, but I couldn’t find anything on the internet referencing their support for NetFlow. Hopefully they are considering it. Most vendors now are supporting either netflow or sflow.
I found in the Checkpoint IPSO 6.2 Reference Guide how to configure NetFlow. If you click on the above link, on the left, click on “Traffic management commands” and then click on “NetFlow Commands” you can follow the directions to enable NetFlow (p. 462). It was nice to see that it supports NetFlow v5 and NetFlow v9 as well as the active and inactive timeout functions.
Checkpoint Netflow Commands
You can use the Netflow support in IPSO to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network “flows.” A flow is a unidirectional stream of packets that share a given set of characteristics. Use the following commands to configure Netflow services.
set netflow
- active-timeout seconds
- collector ip ip_address port port_number
- enable-acl <on | off>
- enable-flows <on | off>
- export-format <Netflow_V5 | Netflow_V9 | None>
- inactive-timeout seconds
- srcaddr ip_address
show netflow
- all
- active-timeout
- collector
- enable-acl
- enable-flows
- export-format
- inactive-timeout
- srcaddr
Arguments
Active-timeout seconds Specifies the number of seconds after which IPSO should export a record for a flow when the flow is still active.
collector ip ip_address port port_number Specifies the IP address and port number of the Netflow collector.
enable-acl <on | off> Enables or disables ACL metering mode. If you use this mode, you define flows by configuring ACL rules. All the traffic that matches a rule is exported in one flow record.
enable-flows <on | off> Enables or disables flow metering mode. If you use this mode, a flow is any sequence of packets that share
• Source and destination IP addresses
• Source and destination port numbers
IP protocol IPSO exports each flow in an individual flow record
export-format <Netflow_V5 | Netflow_ V9 |None> Specifies the format of the export flow records. This format must be supported by the flow collector.
inactive-timeout seconds Specifies the number of seconds to wait while a flow is inactive (no traffic) but has not been terminated. If the specified number of seconds elapses, IPSO exports a record for the flow.
srcaddr ip_address Specifies the source (local) IP address to be used in export records. If this is not configured, the address is chosen based on the route to the collector’s address.
If you have a Checkpoint firewall, give us a call if you need help setting it up. Also, we are looking for a packet capture from one of these if you can take a few minutes to send us one. We want to test it against our NetFlow collector and our NetFlow Analyzer reporting.
April 2012 Update: Barracuda, Cisco ASA, Palo Alto Networks and SonicWALL all support NetFlow (or IPFIX) exports.
hey, i got a quesiton. if our firewall blocked sflows from any other program. how can i understand this
I’m sorry, I don’t understand your question. If your firewall is blocking sFlow then I guess the collector won’t see it. Can you please restate the question.
Can you please clarify what settings to put on the active timeout and the inactive timout for Checkpoint devices? I take it Plixer recommends to set the active/inactive timeout on the Checkpoint firewalls to 1 minute or 60 seconds, as they do on all other devices? There are both inactive and active settings, so if there is a difference that better suits Scrutinizer it would be nice to know. Thanks.
I feel that Cisco sets the standard for ‘typical’ configurations. An active timeout of 1 minute and an inactive timeout of 15 seconds is ideal for Scrutinizer and most other NetFlow Collectors.
Is that working on a Checkpoint VSX firewall ?
I don’t recal. Do you have yout VSX exporting flows yet? Can you send us a several minute wireshark packet capture? We’ll test it.
Thanks Mike, but I was unable to set the flow export on VSX. The command give in this article is probably only for IPSO cause they are not available in VSX.
Hi,
Is it possible to sent NAT table from Checkpoint firewall?
thank you
I’ll try to find out.
https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/10293/FILE/IPSO_6.2-Voyager_Reference_Guide.pdf p. 463 doesn’t mention it.
Do you have a contact at CheckPoint I could work with to find out?