topic Re: Netflow, does it show Ingrees and Egrees? in Firewall and Security Management

Netflow, does it show Ingrees and Egrees?

Thomas_Eichelbu — Wed, 13 Jul 2022 12:32:47 GMT

Hello Check Mates,

perhaps a silly question, and perhaps a total application dependend question:
We configured Netflow V9 on some gateways, we collect data in PRTG, pretty simple stuff, it has not many features.
But it show all together in "one graph". OK

The customer said its not sufficient, he wants to measure the bits and bytes going through the firewalls. and not just simple bytes but also SRC & DST and services.
The tool we had was HPE IMC, we setup Netflow and wondered, it show all data in Ingrees graph, all data is in the inbound path.
The Outbound path is empty.

So iam asking myself, a rookie in Netflow, is this by design? Or is Check Point lacking some Netflow parameters?
Or is it a HP IMC related issue?
It seems all traffic which we produced is inside our Inbound graph ... so nothing is missing.

Sofware is R81 + Take 58 (Clean Install)
All rules without Accounting! Here the documentation is very contradictory

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Netflow-Export.htm

You performed a Clean Install of R81

By default (value 1) the NetFlow export is enabled for traffic accepted by all Access Control rules.
You can configure the value 0 to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.

Important - If you configure the value 0, you must configure the applicable Access Control rules in SmartConsole.

0 -> Access Control rules with the Track option Log and Accounting

1 -> enabled for traffic accepted by all Access Control rules

But the CLI says:

SSPFW01> show netflow fwrule

FW rule: 1 (NetFlow exports its records only for traffic accepted by Access Control rules configured in SmartConsole with the 'Track' option 'Log' and 'Accounting'

SSPFW01> show netflow fwrule

FW rule: 0 (NetFlow exports its records for traffic accepted by all Access Control rules)

strange?

perhaps somebody is expert here.

best regards
Thomas

Re: Netflow, does it show Ingrees and Egrees?

Chris_Atkinson — Wed, 13 Jul 2022 23:33:09 GMT

From sk102041

Note: 1 - generate netflow records only for rules with accounting enabled. 0 - generate netflow records for all firewall rules (applicable only for R80.40 JHF T87 and above).

Note: “Starting with R81, NetFlow no longer requires Log/Accounting to be enabled and logging is off by default. There is the new ‘NetFlow FW rule’ option to configure NetFlow to report per FW rule by turning it on and enabling Log/Accounting per FW rule. This option is off by default so it must be enabled when upgrading from R80.20/30/40

Re: Netflow, does it show Ingrees and Egrees?

Thomas_Eichelbu — Thu, 14 Jul 2022 15:17:37 GMT

Hello,

yes thank you i unserstand.

with value 0 i get all the Netflow data
with value 1 i dont receive any Netflow data
in my setup

my question was more,

who has experience with Netflow and Check Point, are Ingrees and Egrees charts visible or is this totally appliction dependend?
or is this not required because its all in one view and you can drill down into the session, and therefore IN and OUT is not required?

best regards

Re: Netflow, does it show Ingrees and Egrees?

Chris_Atkinson — Thu, 14 Jul 2022 15:29:06 GMT

If I remember correctly the flow records should include "InputInt" and "OutputInt" interface index values to allow for appropriate charting, unsure if this is netflow version dependent would need to check it further.

Re: Netflow, does it show Ingrees and Egrees?

Thomas_Eichelbu — Mon, 25 Jul 2022 09:55:09 GMT

Hello,

well yes, a TAC Case is ongoing ... lets see what we find ...

Re: Netflow, does it show Ingrees and Egrees?

james-07 — Sun, 01 Jan 2023 21:50:31 GMT

Dear Thomas,

Thanks for your query, i am also want to know whether checkpoint provides the flow direction in netflow. OEMs like palo-alto is providing those information. please share the TAC case report.