This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TomShanti
Collaborator
‎2020-07-21 04:13 AM
Jump to solution

Netflow export with R80.30/R80.40

Hi community,

 

since R80.30 netflow export needs to be additionally configured on each rule via adding the "Accounting" option:

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topi...

2020-07-21_13h11_18.png

 

Could someone please share their experience regarding performance when enabling accounting ?

I remember some days in the past that the accounting option was very performance intense ...


And also how are we supposed to manage this with a 1000+ ruleset ?


Thanks and regards 

Thomas

 

 

 

 

1 Solution

Accepted Solutions
rdevarak
Employee
Employee
‎2020-10-22 01:44 PM
In response to Oscar_Figueruel
Jump to solution

Thank you all for the feedback. Understood. In R81, the default behavior will be same as R80.10 and we are working to make a fix available in Jumbo HFs for R80.30/40 as soon as possible. Here is the silver line, now users can selectively choose FW rules for minimal impact on the performance or debugging purpose.

Due to architectural changes in R80.20, we had to make a hard decision regarding Netflow functionality.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2020-07-23 08:36 AM
Jump to solution

The massive performance impact was back in the days before SecureXL, which handles this pretty efficiently. 
There is some extra logging traffic, as you might imagine.

Oscar_Figueruel
Participant
‎2020-10-22 03:17 AM
Jump to solution

Dear Tom, we are suffering the same issues on our site.

Netflow stopped working since we upgraded and now we have to enable the accounting on thousands of rules , something that was not required at all in R80.10. this doesn't make any sense even when they are going to revert back this feature in R81, meaning that the accounting won't be required to get Netflow working.

 

Checkpoint, before performing these behaviour changes, you should think on the fact that these changes are causing a huge time consuming for your customers and not only this, but also the high performance impact it has on the MLMs.

 

rdevarak
Employee
Employee
‎2020-10-22 01:44 PM
In response to Oscar_Figueruel
Jump to solution

Thank you all for the feedback. Understood. In R81, the default behavior will be same as R80.10 and we are working to make a fix available in Jumbo HFs for R80.30/40 as soon as possible. Here is the silver line, now users can selectively choose FW rules for minimal impact on the performance or debugging purpose.

Due to architectural changes in R80.20, we had to make a hard decision regarding Netflow functionality.

Paul_Hagyard
Advisor
‎2022-01-16 04:47 PM
In response to rdevarak
Jump to solution

From R80.40 jumbo take 87 the default behaviour is to export flows for all rules.
With reference to sk102041, flow export per rule (requires accounting to be enabled on the rule) can still be configured.

Warning: the clish message (below example is from R81) is wrong. 0 is the default. As per the sk:
"Note: 1 - generate netflow records only for rules with accounting enabled. 0 - generate netflow records for all firewall rules (applicable only for R80.40 JHF T87 and above)."

fw> set netflow fwrule
fwrule:
1: NetFlow Export for all FW rules (default).
0: NetFlow Export only for specific FW rules that
has Accounting enabled in Smart Console.

fw>

Can someone from R&D look at this incorrect message (and check other versions)?

0 Kudos
Tulasidhar_P
Participant
‎2020-12-14 06:40 AM
Jump to solution

We have netflow issue post upgradation to R80.40 but it is not related to enabling the Accounting option. We had R80.20 and Netflow is enabled with Loopback IP as Source IP and pushed the netflows in the VPN tunnel to Netflow collector which is at remote office. Upgraded to R80.40 since then the Netflows are not using the Loopback IP address as source rather they are trying to use the outgoing Interface IP address(Public IP in my case) as source IP address. removed and reconfigured but it did not work. tried configuring different collector pointing to the Local LAN with Loopback IP as Source IP still the Netflows using the outgoing Interface IP as source IP only. Any idea ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top