Netflow not working

Christian_Dave_ · ‎2018-03-17

Hi Checkmates,

My netflow is not working. I have followed the configuration from SK102041. The format I'm using is v9. The netflow server is Solarwinds. Any one having the same experience? Thanks!

HeikoAnkenbrand · ‎2018-03-18

1) Do you have a firewall rule that allows Netflow?
2) Are blocked packets displayed:

# fw ctl zdebug drop | grep <Solarwind Server>
3) Can you see traffic between the gateway and the Solarwind server?

# fw monitor -e "accept(host=<Solarwind Server>);"

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Maarten_Sjouw · ‎2018-03-25

Make sure to also setup SNMP properly for the Solarwinds server, as it will first query the gateway fior the interfaces etc via SNMP before it will add the gateway in Netflow.

Regards, Maarten

Tom_Cripps · ‎2018-07-27

Has anyone got anywhere with this?

Just doesn't seem to work consistently like it would on a Cisco device for example? You can see below we've just had nothing from our Gateway for the last 4 hours pretty much.

Nothing is being dropped at all as i can see the port being allowed in the logs. TCPdump or Fw Monitor doesn't show anything.

Maarten_Sjouw · ‎2018-09-26

We are seeing the exact same thing with some of our gateways, we did see that there was one cluster working properly and another was failing, the difference was the Jumbo installed, 103 version worked fine, the newer version just keeps showing dropout like in your graph.

We currently have a case open for this issue.

Regards, Maarten

Tom_Cripps · ‎2018-11-23

Hi Maarten,

Apologies for the delay in response.

We have now got this issue fixed as it was relating to General errors for SecureXL - recommend that to your support team and see if they check that. We temporarily added a value then was given a hotfix which has now fixed this.

Maarten_Sjouw · ‎2018-11-23

In our case there were 2 different systems collecting the Netflow data, an older CA collector, which they are phasing out and another newer system, we moved the gateways over to the other collector and now they are receiving data without hesitations, we already found that the gateway was sending data all the time, but the guys did not want to spend time on the CA collector anymore.

Regards, Maarten

Scott_Chambers · ‎2019-02-15

If your gateways are now on R80.10, you might want to change from Netflow V9 to IPFIX.

We are having issues with Solarwinds NTA since the 4.5 upgrade. They are blaming Checkpoint but pcaps prove otherwise

We moved one of our gateways to IPFIX a few days ago and the flows seems to be reporting properly now.

Tom_Cripps · ‎2019-02-15

The most recent hotfix has fixed our issue, 170 I believe

MartinTzvetanov · ‎2020-09-28

Hello,

I faced a similar issue today. It seems that netflow daemon got stuck and didn't send any data. Disable/enable the service didn't help, after reboot the issue disappear. What is the daemon for netflow?

Timothy_Hall · ‎2020-09-28

Depends on version, in R80.10 and earlier NetFlow data was collected and sent by SecureXL (sim driver).

In R80.20 and later this function was moved into the Firewall Worker/Instance, and thus requires Accounting to be set on any rules for which you want NetFlow data. I believe the NetFlow data is handed off by the Firewall Worker/Instance to the fwd daemon for transmission to the Collector, try checking the $FWDIR/log/fwd.elg file for any error messages around the time NetFlow stopped working. If NetFlow stops working again, instead of rebooting try restarting the fwd daemon (this will not cause an outage, but will cause a cluster failover).

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Are you a member of CheckMates?

Netflow not working