Netflow Export

Introduction

NetFlow is an industry standard for traffic monitoring. It is a network protocol developed by Cisco for collecting network traffic patterns and volume. It lets one host (the Exporter) send information about network flows to another host (the Collector). A network flow is a unidirectional stream of packets that share a set of characteristics.

You can configure Security Gateways and ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members that run on GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Operating System as an Exporter of NetFlow records for all the traffic they inspect.

Note - The state of the SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. is irrelevant for NetFlow export.

The Collector is supplied by a different vendor, and is configured separately.

NetFlow Export configuration is a list of collectors, to which the service sends records:

  • To enable NetFlow, configure at least one collector.

  • To disable NetFlow, make sure no collectors are configured.

You can configure up to three collectors. NetFlow records go to all configured collectors. If you configure three collectors, each record is sent three times.

Regardless of which NetFlow export format you choose, Gaia operating system exports values as set of fields.

  • Source IP address

  • Destination IP address

  • Source port

  • Destination port

  • Ingress physical interface index (defined by SNMP)

  • Egress physical interface index (defined by SNMP)

  • Packet count for this flow

  • Byte count for this flow

  • Start of flow timestamp (FIRST_SWITCHED)

  • End of flow timestamp (LAST_SWITCHED)

  • IP protocol number

  • TCP flags from the flow (TCP only)

Notes:

  • The IP addresses and TCP/UDP ports reported by NetFlow are the ones, on which it expects to receive traffic.

    Therefore, for NAT connections, one of the two directions of flow is reported with the NATed address.

  • NetFlow sends the connection records after the connections have terminated.

    If the system is idle or the connections are long lasting, you may have to wait to see NetFlow packets.

For more information, see sk102041: NetFlow support by Gaia OS.

Configuration Procedure

  1. You can configure these settings either in Gaia PortalClosed Web interface for the Check Point Gaia operating system., or in Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

    Note - You must connect to the Gaia Portal of the applicable Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

    1. In the left navigation tree, click Network Management > NetFlow Export.

    2. Click Add.

    3. Enter the required data for each collector:

      Parameter

      Description

      IP address

      The IPv4 address, to which NetFlow packets are sent.

      This is mandatory.

      UDP port Number

      The UDP port number, on which the collector is listening.

      This is mandatory.

      There is no default or standard port number for NetFlow.

      Export format

      The NetFlow protocol version to send:

      • Netflow_V5

      • Netflow_V9

      • IPFIX (known as "NetFlow v10")

      Each protocol version has a different packet format.

      The default is Netflow_V9.

      Source IP address

      Optional: The IPv4 address of the NetFlow packets source.

      This must be an IPv4 address of the local host.

      The default (which is recommended) is an IPv4 address from the network interface, on which the NetFlow traffic is going out.

    Note - You must run these commands in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. of the applicable Security Group.

    • To add a Netflow collector:

      add netflow collector ip <IPv4 Address of Collector> port <Destination Port on Collector> [srcaddr <Source IPv4 Address> export-format {Netflow_V5 | Netflow_V9 | IPFIX}] enable

    • To change settings of a Netflow collector:

      set netflow collector for-ip <IPv4 Address of Collector>
            ip <IPv4 Address of Collector>
            port <Destination Port on Collector>
            srcaddr <Source IPv4 Address> export-format {Netflow_V5 | Netflow_V9 | IPFIX}
            export-format {Netflow_V5 | Netflow_V9 | IPFIX}
            enable
            disable

    • To show a Netflow collector:

      show netflow collector

      show netflow collector<SPACE><TAB>

      show netflow all

    • To delete a Netflow collector:

      delete netflow collector for-ip <IPv4 Address of Collector> [for-port <Destination Port on Collector>]

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

    Parameter

    Description

    ip <IPv4 Address of Collector>

    Specifies the IPv4 address of the NetFlow Collector, to which NetFlow packets are sent. This is mandatory.

    port <Destination Port on Collector>

    Specifies the UDP port number on the NetFlow Collector, on which the collector is listening. This is mandatory. There is no default or standard port number for NetFlow.

    srcaddr <Source IPv4 Address>

    Optional: Specifies the IPv4 address of the NetFlow packets source. This must be an IPv4 address that belongs to one of the local interfaces of the local host. The default (which is recommended) is an IPv4 address that belongs to the network interface that connects to the NetFlow Collector.

    export-format {Netflow_V5 | Netflow_V9 | IPFIX}

    The NetFlow protocol version to send:

    • NetFlow v5

    • NetFlow v9

    • IPFIX (known as "NetFlow v10")

    Each NetFlow protocol version has a different packet format.

    The default is NetFlow v9.

    for-ip <IPv4 Address of Collector>

    for-port <Destination Port on Collector>

    These parameters specify the configured NetFlow Collector.

    If you only have one collector configured, you do not need these parameters.

    If you have two or three collectors with different IP addresses, use "for-ip".

    If you have two or three collectors with the same IP address and different UDP ports, you must use "for-ip" and "for-port" to identify the one to work on.

    1. From the left navigation panel, click Security Policies.

    2. Open the applicable policy.

    3. In the top left corner, click Access Control > Policy.

    4. Add an explicit ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the traffic that you wish to export with Netflow:

      Important - In the Track column, you must select Log and Accounting.

      Source

      Destination

      VPN

      Services & Applications

      Content

      Action

      Track

      Source
      Host or
      Network
      objects

      Destination
      Host or
      Network
      objects

      *Any

      Applicable
      service
      objects

      * Any

      Accept

      Log

      Accounting

    5. Publish the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session.

    6. Install the Access Control policy on the Security Group object.