• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer
  • Internet Threat Center
  • Blog
  • Contact
  • Weekly Demo
  • Search

Plixer

Network and Security Intelligence Platform

Menu
  • Solutions
    • Overview
      • Incident Response System
      • Behavior Monitoring
      • BYOD Monitoring
      • Voice and Video Monitoring
      • Compliance Assurance
      • Virtualization Visibility
      • Cloud Service Monitoring
    • Industries
      • Education
      • Financial Services
      • Retail
      • Healthcare
      • Service Provider
      • Government
    • Your Role
      • CEO or IT Executive
      • Network Admin
      • Security Analyst
      • Application Engineer
      • VMware and Server Admin
    • Why Plixer
  • Products
    • Scrutinizer
      • Scrutinizer Overview
      • Network Analysis
      • Security Analytics
      • Multi-Tenancy
      • Advanced Reporting
      • Distributed Data Collection
      • Install Options
      • Request a Quote
      • Download Options
      • Trade-In Program
      • Competitor Worksheet
    • Flow Replicator
      • Replicator Overview
      • Flow Replicator Evaluation
    • FlowPro
      • FlowPro Overview
      • FlowPro Evaluation
      • Request a Quote
    • Free Downloads
      • Scrutinizer
      • Flowalyzer
      • IPFIXify
  • Support
    • NetFlow, IPFIX, & sFlow Configuration Guide
    • Available Scrutinizer Updates
    • End of Life Policy
    • Scrutinizer Manual
    • FlowPro Manual
    • Replicator Manual
    • FAQ
    • Services
    • Training Videos
  • Resources
    • White Papers
    • Case Studies
    • Webinars
    • Brochures
    • Solutions Briefs
    • Forensic Investigation Kit
    • Free Book Compliments of Plixer!
  • Partners
      • Partners
        • Find a Partner
        • Become A Partner
        • Partner Login
      • Technology Alliance Partners
        • Additional Integration
        • Cisco Systems
        • Citrix Systems
        • Endace
        • Gigamon
        • Ixia
        • Paessler – PRTG
        • Palo Alto Networks
        • VMware
        • Splunk
  • About
      • Company Overview
      • Awards
      • Our Culture
      • Careers
      • Our Customers
      • Community Outreach
      • Events
      • Press Releases
      • In The News
Home > Blog > NetFlow

NetFlow from a Checkpoint Firewall

06.06.10 by Michael

I wonder how many firewalls (IP Security Appliances) have been sold to date.  Since we have been in business, we have purchased 4. I can’t imagine a company being attached to the internet without one.

Currently we have both a SonicWALL and a Cisco ASA.   It is great to see that some firewalls such as the Cisco ASA, Fortinet  and Checkpoint are now supporting NetFlow. 

I would like to see Watchguard and NetStream support it, but I couldn’t find anything on the internet referencing their support for NetFlow. Hopefully they are considering it.  Most vendors now are supporting either netflow or sflow.

I found in the Checkpoint IPSO 6.2 Reference Guide how to configure NetFlow.  If you click on the above link, on the left, click on “Traffic management commands” and then click on “NetFlow Commands” you can follow the directions to enable NetFlow (p. 462).  It was nice to see that it supports NetFlow v5 and NetFlow v9 as well as the active and inactive timeout functions.
Checkpoint Netflow Commands
You can use the Netflow support in IPSO to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network “flows.” A flow is a unidirectional stream of packets that share a given set of characteristics. Use the following commands to configure Netflow services.

set netflow

  •  active-timeout seconds
  • collector ip ip_address port port_number
  • enable-acl <on | off>
  • enable-flows <on | off>
  • export-format <Netflow_V5 | Netflow_V9 | None>
  • inactive-timeout seconds
  • srcaddr ip_address

show netflow

  • all
  • active-timeout
  • collector
  • enable-acl
  • enable-flows
  • export-format
  • inactive-timeout
  • srcaddr

Arguments

Active-timeout seconds Specifies the number of seconds after which IPSO should export a record for a flow when the flow is still active.

collector ip ip_address port port_number Specifies the IP address and port number of the Netflow collector.

enable-acl <on | off> Enables or disables ACL metering mode. If you use this mode, you define flows by configuring ACL rules. All the traffic that matches a rule is exported in one flow record.

enable-flows <on | off> Enables or disables flow metering mode. If you use this mode, a flow is any sequence of packets that share

• Source and destination IP addresses
• Source and destination port numbers
IP protocol IPSO exports each flow in an individual flow record

export-format <Netflow_V5 | Netflow_ V9 |None> Specifies the format of the export flow records. This format must be supported by the flow collector.

inactive-timeout seconds Specifies the number of seconds to wait while a flow is inactive (no traffic) but has not been terminated. If the specified number of seconds elapses, IPSO exports a record for the flow.

srcaddr ip_address Specifies the source (local) IP address to be used in export records. If this is not configured, the address is chosen based on the route to the collector’s address.

If you have a Checkpoint firewall, give us a call if you need help setting it up.  Also, we are looking for a packet capture from one of these if you can take a few minutes to send us one. We want to test it against our NetFlow collector and our NetFlow Analyzer reporting.

April 2012 Update: Barracuda, Cisco ASA, Palo Alto Networks and SonicWALL all support NetFlow (or IPFIX) exports.

Categories: NetFlow, NetFlow Analyzer Tags: configure netflow on a checkpoint, Firewall, NetFlow Collector, rules, Traffic Management

About Michael

Michael's avatar

Michael is the Co-Founder and the product manager for Scrutinizer Incident Response System. He can be reached most hours of the day between work and home. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer. Feel free to email him.

Reader Interactions

Comments

  1. huseyin says

    August 25, 2010 at 7:36 pm

    hey, i got a quesiton. if our firewall blocked sflows from any other program. how can i understand this

  2. Mike Patterson says

    August 26, 2010 at 8:24 am

    I’m sorry, I don’t understand your question. If your firewall is blocking sFlow then I guess the collector won’t see it. Can you please restate the question.

  3. Checkpoint Guy says

    March 14, 2011 at 3:32 pm

    Can you please clarify what settings to put on the active timeout and the inactive timout for Checkpoint devices? I take it Plixer recommends to set the active/inactive timeout on the Checkpoint firewalls to 1 minute or 60 seconds, as they do on all other devices? There are both inactive and active settings, so if there is a difference that better suits Scrutinizer it would be nice to know. Thanks.

  4. Mike Patterson says

    March 14, 2011 at 9:14 pm

    I feel that Cisco sets the standard for ‘typical’ configurations. An active timeout of 1 minute and an inactive timeout of 15 seconds is ideal for Scrutinizer and most other NetFlow Collectors.

  5. Paul Choua says

    November 7, 2011 at 8:06 am

    Is that working on a Checkpoint VSX firewall ?

    • Michael[email protected] says

      November 7, 2011 at 8:41 am

      I don’t recal. Do you have yout VSX exporting flows yet? Can you send us a several minute wireshark packet capture? We’ll test it.

  6. Paul Choua says

    November 9, 2011 at 9:24 am

    Thanks Mike, but I was unable to set the flow export on VSX. The command give in this article is probably only for IPSO cause they are not available in VSX.

  7. dima says

    March 12, 2013 at 11:32 pm

    Hi,
    Is it possible to sent NAT table from Checkpoint firewall?
    thank you

  8. Michael[email protected] says

    March 13, 2013 at 7:02 am

    I’ll try to find out.

    https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/10293/FILE/IPSO_6.2-Voyager_Reference_Guide.pdf p. 463 doesn’t mention it.

    Do you have a contact at CheckPoint I could work with to find out?

sidebar

Blog Sidebar

Subscribe to our blogs

Recent Posts

  • How to Configure Meraki for SNMP Polling
  • Why ERSPAN is Important for Network Security
  • The dangers of IoT devices and what you should know
  • Real-Time DDoS Detection & Analysis
  • Cisco ASA Access List Reporting

Search Top Blog Categories

Configuration
Cyber Attack
Cybersecurity
Incident Response
IoT
NetFlow Monitoring
Network Monitoring
Network Security
Network Traffic Analysis
Network Traffic Monitoring

All Blog Categories

Footer

Social Media

FacebookTwitterYoutubeLinkedin

68 Main St Ste 4
Kennebunk, ME 04043
+1 (207) 324-8805
+1 (207) 324-8683

Solutions

  • Incident Response System
  • Behavior Monitoring
  • BYOD Monitoring
  • Voice and Video Monitoring
  • Compliance Assurance
  • Virtualization Visibility
  • Cloud Service Monitoring

Products

  • Scrutinizer
    • Network Analysis
    • Security Analytics
    • Multi-Tenancy
    • Advanced Reporting
    • Distributed Data Collection
    • Install Options
    • Request a Quote
    • Download Options
    • Trade-In Program
    • Competitor Worksheet
  • FlowPro
  • Replicator

Support

  • NetFlow, IPFIX & sFlow Configuration Guide
  • Available Scrutinizer Updates
  • End of Life Policy
  • Scrutinizer Manual
  • FlowPro Manual
  • Replicator Manual
  • FAQ
  • Services

Resources

  • White Papers
  • Case Studies
  • Webinars
  • Forensic Investigation Kit
  • Free Book Compliments of Plixer!

Partners

  • Find a Partner
  • Become A Partner
  • Partner Login
  • Technology Alliance Partners
  • Cisco Systems
  • Citrix Systems
  • Endace
  • Gigamon
  • Ixia
  • Paessler – PRTG
  • Palo Alto Networks
  • VMware
  • Splunk

About

  • Company Overview
  • Awards
  • Our Culture
  • Careers
  • Our Customers
  • Community Outreach
  • Press Releases
  • In The News

© 2019 Copyright Plixer, LLC. All Rights Reserved. Terms and Conditions | Privacy Policy