This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
Advisor
‎2022-07-13 05:32 AM

Netflow, does it show Ingrees and Egrees?

Hello Check Mates, 

perhaps a silly question, and perhaps a total application dependend question:
We configured Netflow V9 on some gateways, we collect data in PRTG, pretty simple stuff, it has not many features.
But it show all together in "one graph". OK

The customer said its not sufficient, he wants to measure the bits and bytes going through the firewalls. and not just simple bytes but also SRC & DST and services.
The tool we had was HPE IMC, we setup Netflow and wondered, it show all data in Ingrees graph, all data is in the inbound path.
The Outbound path is empty.
1.PNG

 

So iam asking myself, a rookie in Netflow, is this by design? Or is Check Point lacking some Netflow parameters?
Or is it a HP IMC related issue?
It seems all traffic which we produced is inside our Inbound graph ... so nothing is missing.

Sofware is R81 + Take 58 (Clean Install)
All rules without Accounting! Here the documentation is very contradictory 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Netflow...

You performed a Clean Install of R81
  • By default (value 1) the NetFlow export is enabled for traffic accepted by all Access Control rules.
  • You can configure the value 0 to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.

 

Important - If you configure the value 0, you must configure the applicable Access Control rules in SmartConsole.

 

0 -> Access Control rules with the Track option Log and Accounting

1 -> enabled for traffic accepted by all Access Control rules

 

But the CLI says:

SSPFW01> show netflow fwrule

FW rule: 1 (NetFlow exports its records only for traffic accepted by Access Control rules configured in SmartConsole with the 'Track' option 'Log' and 'Accounting'

SSPFW01> show netflow fwrule

FW rule: 0 (NetFlow exports its records for traffic accepted by all Access Control rules)

strange?

perhaps somebody is expert here.

best regards
Thomas

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-07-13 04:33 PM

From sk102041

Note1 - generate netflow records only for rules with accounting enabled. 0 - generate netflow records for all firewall rules (applicable only for R80.40 JHF T87 and above).

Note: “Starting with R81, NetFlow no longer requires Log/Accounting to be enabled and logging is off by default. There is the new ‘NetFlow FW rule’ option to configure NetFlow to report per FW rule by turning it on and enabling Log/Accounting per FW rule. This option is off by default so it must be enabled when upgrading from R80.20/30/40

CCSM R77/R80/ELITE
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2022-07-14 08:17 AM
In response to Chris_Atkinson

Hello, 

yes thank you i unserstand.

with value 0 i get all the Netflow data
with value 1 i dont receive any Netflow data
in my setup

my question was more, 

who has experience with Netflow and Check Point, are Ingrees and Egrees charts visible or is this totally appliction dependend?
or is this not required because its all in one view and you can drill down into the session, and therefore IN and OUT is not required?

best regards

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-07-14 08:29 AM
In response to Thomas_Eichelbu

If I remember correctly the flow records should include "InputInt" and "OutputInt" interface index values to allow for appropriate charting, unsure if this is netflow version dependent would need to check it further.

CCSM R77/R80/ELITE
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2022-07-25 02:55 AM
In response to Chris_Atkinson

Hello, 

well yes, a TAC Case is ongoing ... lets see what we find ...

0 Kudos
james-07
Explorer
‎2023-01-01 01:50 PM
In response to Thomas_Eichelbu

Dear Thomas,

                         Thanks for your query, i am also want to know whether checkpoint provides the flow direction in netflow. OEMs like palo-alto is providing those information.  please share the TAC case report.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events