I wonder how many firewalls (IP Security Appliances) have been sold to date.  Since we have been in business, we have purchased 4. I can’t imagine a company being attached to the internet without one.

Currently we have both a SonicWALL and a Cisco ASA.   It is great to see that some firewalls such as the Cisco ASA, Fortinet  and Checkpoint are now supporting NetFlow. 

I would like to see Watchguard and NetStream support it, but I couldn’t find anything on the internet referencing their support for NetFlow. Hopefully they are considering it.  Most vendors now are supporting either netflow or sflow.

I found in the Checkpoint IPSO 6.2 Reference Guide how to configure NetFlow.  If you click on the above link, on the left, click on “Traffic management commands” and then click on “NetFlow Commands” you can follow the directions to enable NetFlow (p. 462).  It was nice to see that it supports NetFlow v5 and NetFlow v9 as well as the active and inactive timeout functions.
Checkpoint Netflow Commands
You can use the Netflow support in IPSO to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network “flows.” A flow is a unidirectional stream of packets that share a given set of characteristics. Use the following commands to configure Netflow services.

set netflow

  •  active-timeout seconds
  • collector ip ip_address port port_number
  • enable-acl <on | off>
  • enable-flows <on | off>
  • export-format <Netflow_V5 | Netflow_V9 | None>
  • inactive-timeout seconds
  • srcaddr ip_address

show netflow

  • all
  • active-timeout
  • collector
  • enable-acl
  • enable-flows
  • export-format
  • inactive-timeout
  • srcaddr

Arguments

Active-timeout seconds Specifies the number of seconds after which IPSO should export a record for a flow when the flow is still active.

collector ip ip_address port port_number Specifies the IP address and port number of the Netflow collector.

enable-acl <on | off> Enables or disables ACL metering mode. If you use this mode, you define flows by configuring ACL rules. All the traffic that matches a rule is exported in one flow record.

enable-flows <on | off> Enables or disables flow metering mode. If you use this mode, a flow is any sequence of packets that share

• Source and destination IP addresses
• Source and destination port numbers
IP protocol IPSO exports each flow in an individual flow record

export-format <Netflow_V5 | Netflow_ V9 |None> Specifies the format of the export flow records. This format must be supported by the flow collector.

inactive-timeout seconds Specifies the number of seconds to wait while a flow is inactive (no traffic) but has not been terminated. If the specified number of seconds elapses, IPSO exports a record for the flow.

srcaddr ip_address Specifies the source (local) IP address to be used in export records. If this is not configured, the address is chosen based on the route to the collector’s address.

If you have a Checkpoint firewall, give us a call if you need help setting it up.  Also, we are looking for a packet capture from one of these if you can take a few minutes to send us one. We want to test it against our NetFlow collector and our NetFlow Analyzer reporting.

April 2012 Update: Barracuda, Cisco ASA, Palo Alto Networks and SonicWALL all support NetFlow (or IPFIX) exports.

Michael

Michael

Michael is the Co-Founder and the product manager for Scrutinizer Incident Response System. He can be reached most hours of the day between work and home. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer. Feel free to email him.

Related

Big Data

Sankey Flow Graph

Posted on - by Jeff Morrison

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

11 comments on “NetFlow from a Checkpoint Firewall

  1. hey, i got a quesiton. if our firewall blocked sflows from any other program. how can i understand this

  2. I’m sorry, I don’t understand your question. If your firewall is blocking sFlow then I guess the collector won’t see it. Can you please restate the question.

  3. Can you please clarify what settings to put on the active timeout and the inactive timout for Checkpoint devices? I take it Plixer recommends to set the active/inactive timeout on the Checkpoint firewalls to 1 minute or 60 seconds, as they do on all other devices? There are both inactive and active settings, so if there is a difference that better suits Scrutinizer it would be nice to know. Thanks.

  4. I feel that Cisco sets the standard for ‘typical’ configurations. An active timeout of 1 minute and an inactive timeout of 15 seconds is ideal for Scrutinizer and most other NetFlow Collectors.

  6. Thanks Mike, but I was unable to set the flow export on VSX. The command give in this article is probably only for IPSO cause they are not available in VSX.

Comments are closed.