Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Dave_
Participant

Netflow not working

Hi Checkmates,

My netflow is not working. I have followed the configuration from SK102041.  The format I'm using is v9. The netflow server is Solarwinds. Any one having the same experience? Thanks!

10 Replies
HeikoAnkenbrand
Champion
Champion

1) Do you have a firewall rule that allows Netflow?
2) Are blocked packets displayed:

    # fw ctl zdebug drop | grep <Solarwind Server>
3) Can you see traffic between the gateway and the Solarwind server?

    # fw monitor -e "accept(host=<Solarwind Server>);"

Maarten_Sjouw
Champion
Champion

Make sure to also setup SNMP properly for the Solarwinds server, as it will first query the gateway fior the interfaces etc via SNMP before it will add the gateway in Netflow.

Regards, Maarten
Tom_Cripps
Advisor

Has anyone got anywhere with this?

Just doesn't seem to work consistently like it would on a Cisco device for example? You can see below we've just had nothing from our Gateway for the last 4 hours pretty much.

Nothing is being dropped at all as i can see the port being allowed in the logs. TCPdump or Fw Monitor doesn't show anything.

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

We are seeing the exact same thing with some of our gateways, we did see that there was one cluster working properly and another was failing, the difference was the Jumbo installed, 103 version worked fine, the newer version just keeps showing dropout like in your graph.

We currently have a case open for this issue.

Regards, Maarten
0 Kudos
Reply
Tom_Cripps
Advisor

Hi Maarten,

Apologies for the delay in response. 

We have now got this issue fixed as it was relating to General errors for SecureXL - recommend that to your support team and see if they check that. We temporarily added a value then was given a hotfix which has now fixed this. 

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

In our case there were 2 different systems collecting the Netflow data, an older CA collector, which they are phasing out and another newer system, we moved the gateways over to the other collector and now they are receiving data without hesitations, we already found that the gateway was sending data all the time, but the guys did not want to spend time on the CA collector anymore.

Regards, Maarten
Scott_Chambers
Participant

If your gateways are now on R80.10, you might want to change from Netflow V9 to IPFIX.     

We are having issues with Solarwinds NTA since the 4.5 upgrade.   They are blaming Checkpoint but pcaps prove otherwise Smiley Happy 

We moved one of our gateways to IPFIX a few days ago and the flows seems to be reporting properly now.  

0 Kudos
Reply
Tom_Cripps
Advisor

The most recent hotfix has fixed our issue, 170 I believe

MartinTzvetanov
Collaborator

Hello,

 

I faced a similar issue today. It seems that netflow daemon got stuck and didn't send any data. Disable/enable the service didn't help, after reboot the issue disappear. What is the daemon for netflow?

0 Kudos
Reply
Timothy_Hall
Champion
Champion

Depends on version, in R80.10 and earlier NetFlow data was collected and sent by SecureXL (sim driver).  

In R80.20 and later this function was moved into the Firewall Worker/Instance, and thus requires Accounting to be set on any rules for which you want NetFlow data.  I believe the NetFlow data is handed off by the Firewall Worker/Instance to the fwd daemon for transmission to the Collector, try checking the $FWDIR/log/fwd.elg file for any error messages around the time NetFlow stopped working.  If NetFlow stops working again, instead of rebooting try restarting the fwd daemon (this will not cause an outage, but will cause a cluster failover).

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply