Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nishant12
Explorer
Jump to solution

Netflow packet length

Hello All, 

 

I want to decrease the length of packet which is generated by the NetFlow, is it possible to reduce ?

 

 
 
 

 

0 Kudos
1 Solution

Accepted Solutions
rdevarak
Employee
Employee

Currently it is not possible. FYI, there are two ways to reduce the packet size: 1) by reducing the number of records in the packet. Currently, the netflow packet is generated once the packet is filled or flushed after 30 secs. Both are hardcoded. 2) by making the fields configurable like 'flexible netflow' (just like in Cisco). Currently not planned but it is under consideration.

I would like to know the usecase for the smaller packet size.

Thanks,

Raghu (R&D)

 

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Not as far as I know.
What is the reason you are trying to do this?

0 Kudos
rdevarak
Employee
Employee

Currently it is not possible. FYI, there are two ways to reduce the packet size: 1) by reducing the number of records in the packet. Currently, the netflow packet is generated once the packet is filled or flushed after 30 secs. Both are hardcoded. 2) by making the fields configurable like 'flexible netflow' (just like in Cisco). Currently not planned but it is under consideration.

I would like to know the usecase for the smaller packet size.

Thanks,

Raghu (R&D)

 

0 Kudos
Nishant12
Explorer

Thanks Raghu for the reply , Use case is that netflow generated by the firewall is having length of 1472 and after that traffic has to go through the IPSEC tunnel and we are thinking because of IPsec overhead it is more than 1500 so it is not reaching the destination .

Correct me if my finding is wrong do we have any other solution for that .

0 Kudos
Nishant12
Explorer

Use case is that netflow generated by the firewall is having length of 1472 and after that traffic has to go through the IPSEC tunnel and we are thinking because of IPsec overhead it is more than 1500 so it is not reaching the destination.

Correct me if my finding is wrong do we have any other solution for that.

0 Kudos
rdevarak
Employee
Employee

Hi Nishant,  Please contact CP support and refer my name 'Raghuram Devarakonda (R&D)' so that they can contact me. I want to see the tcpdump of the packets going through IPSec tunnel.  Let me know the release details, it may be possible to give you a fix for it, if necessary.

Thanks,

Raghu

 

0 Kudos
Nishant12
Explorer

IPSEC tunnel is between the routers not on the firewall and still haven't done any troubleshooting on router side. i can try if we can engage the router team and raise the case with CP, before moving forward to router team and CP one thing i want to know is that my assumption could be right or not ? otherwise i will be going to waste all the people time.

0 Kudos
rdevarak
Employee
Employee

You may be right. How about other types of packets, for example large file transfer (it will be larger size based on mtu size)? Check the mtu size of the path from CP netflow. Can you enable IP fragmentation on the router?

If possible, reduce the traffic to minimal on CP GW so that it will not have so many records. Make sure it passes through routers. 

Bottom line is  to trace the problem with smaller packet and increment it till it fails.

0 Kudos
Ian_Cresswell
Participant

Is there a solution to this?

We forward NetFlow data to our Solarwinds server in our Datacentre for all our firewalls. We run DMVPN between most office so the MTU of the tunnel is 1400.

We no longer receive NetFlow data, strangely this used to work on older version but hasn't for some time, we are on 81.10 now. NetFlow data is useful to us and we would like to get this resolved.

0 Kudos
rdevarak
Employee
Employee

Please open a ticket with the support and also provide tcpdump of netflow records. May be IP packet has to be fragmented but not sure how it will be handled on the receiving side including the netflow collector. I want see whether DF is set or not and also size of the packet.

0 Kudos
Ian_Cresswell
Participant

I have a ticket open with Checkpoint, its been ongoing for some time now.

I was hoping someone in Checkmates may be able to point me in the right direction.

0 Kudos
PhoneBoy
Admin
Admin

Please provide the SR in a private message, I will make sure to communicate it to @rdevarak.

0 Kudos
PhoneBoy
Admin
Admin

If the packets don’t have the Don’t Fragment bit set, then they should go through an IPsec VPN just fine.
If they do, I believe we handle this.
For general information around this topic: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos