NetFlow Export

Introduction

NetFlow is an industry standard for traffic monitoring. Cisco developed this network protocol to collect network traffic patterns and volume.

One host (the NetFlow Exporter) sends information about its network flows to a different host (the NetFlow Collector).

A network flow is a unidirectional stream of packets that contain the same set of characteristics.

You can configure Security Gateways and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members as an Exporter of NetFlow records for all the traffic that passes through.

Note - The state of the SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. is irrelevant for NetFlow export.

The NetFlow Collector is a different external server, and you configure it separately.

NetFlow Export configuration is a list of collectors, to which the service sends records:

To enable NetFlow, configure at minimum one NetFlow Collector.
To disable NetFlow, remove all NetFlow Collectors from the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. configuration.

You can configure a maxumum of three NetFlow Collectors. Gaia sends the NetFlow records go to all configured NetFlow Collectors. If you configure three NetFlow Collectors, Gaia sends each NetFlow record three times.

Regardless of which NetFlow export format you configure, Gaia exports values as set of fields.

The fields

Source IP address.
Destination IP address.
Source port.
Destination port.
Ingress physical interface index (defined by SNMP).
Egress physical interface index (defined by SNMP).
Packet count for this flow.
Byte count for this flow.
Start of flow timestamp (FIRST_SWITCHED).
End of flow timestamp (LAST_SWITCHED).
IP protocol number.
TCP flags from the flow (TCP only).
VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. VSID.

Notes:

The IP addresses and TCP/UDP ports the NetFlow reports are the ones, on which the NetFlow expects to receive traffic.

Therefore, for NAT connections, the NetFlow reports one of the two directions of the flow with the NATed address.
NetFlow sends the connection records after the connections terminated.

If the connections are open for a long time, it can take time for the NetFlow to sends the records.

For more information, see sk102041.

Configuration Procedure

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Configure the NetFlow Export settings in Gaia

You can configure these settings in Gaia Portal Web interface for the Check Point Gaia operating system., or in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Configuring the NetFlow settings in Gaia Portal

In the left navigation tree, click Network Management > NetFlow Export.
In the Collectors section, click Add.

Enter the required data for each collector:

Parameter	Description
IP Address	The destination IPv4 address, to which Gaia sends the NetFlow packets. This parameter is mandatory.
UDP Port Number	The destination UDP port number, on which the collector listens. This parameter is mandatory. There is no default or standard port number for NetFlow.
Export Format	The NetFlow protocol version to use: Netflow_V5 - Protocol NetFlow v5 Netflow_V9 - Protocol NetFlow v9 IPFIX - Known as protocol "NetFlow v10" Each protocol version has a different packet format. The default is Netflow_V9.
Source IP address	Optional: The source IPv4 address of the NetFlow packets. This must be an IPv4 address of the local host. The default is an IPv4 address of the network interface, from which Gaia sends the NetFlow packets. We recommend the default.
Enable	Select this option to enable the configured NetFlow Collector.

Click OK.

In the Advanced Options section, the NetFlow Fw rule option controls for which traffic to enable the NetFlow export:

Scenario

Instructions

You performed a Clean Install of R81

By default (this option is cleared) the NetFlow export is enabled for traffic accepted by all Access Control rules.

You can select this option to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Important - If you selected this option, you must configure the applicable Access Control rules in SmartConsole.

You upgraded to R81 from R80.40 or lower version

You must:

Configure select this option in Gaia Portal and click Apply.
Configure the applicable Access Control rules with the Track option Log and Accounting in SmartConsole.

Configuring the NetFlow settings in Gaia Clish

Configure a new NetFlow collector:

add netflow collector ip <IPv4 Address of Collector> port <Destination Port on Collector> [srcaddr <Source IPv4 Address>] export-format {Netflow_V5 | Netflow_V9 | IPFIX} enable {yes | no}

Configure for which traffic to enable the NetFlow export:

set netflow fwrule {1 | 0}

Scenario

Instructions

You performed a Clean Install of R81

By default (value 0) the NetFlow export is enabled for traffic accepted by all Access Control rules.

You can configure the value 1 to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.

Important - If you configure the value 1, you must configure the applicable Access Control rules in SmartConsole.

You upgraded to R81 from R80.40 or lower version

You must:

Configure the value 0 in Gaia Clish.
Configure the applicable Access Control rules with the Track option Log and Accounting in SmartConsole.

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

In SmartConsole, configure the explicit Access Control rules

Important - This step is necessary only in these cases:

In Gaia Portal you selected the option "NetFlow Fw rule"
In Gaia Clish you ran the command "set netflow fwrule 0".

From the left navigation panel, click Security Policies.
Open the applicable policy.
In the top left corner, click Access Control > Policy.

Add an explicit rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the traffic that you wish to export with NetFlow:

Important - In the Track column, you must select Log and Accounting.

Source	Destination	VPN	Services & Applications	Content	Action	Track
Source Host or Network objects	Destination Host or Network objects	`*Any`	Applicable service objects	`* Any`	`Accept`	`Log` `Accounting`

Source

Destination

VPN

Services & Applications

Content

Action

Track

Source
Host or
Network
objects

Destination
Host or
Network
objects

*Any

Applicable
service
objects

* Any

Accept

Log

Accounting

Publish the SmartConsole session.
Install the Access Control policy on the Security Gateway or Cluster object.

Available Commands in Gaia Clish

Syntax

To configure a new NetFlow collector:

add netflow collector ip <IPv4 Address of Collector> port <Destination Port on Collector> [srcaddr <Source IPv4 Address>] export-format {Netflow_V5 | Netflow_V9 | IPFIX} enable {yes | no}

To change settings of an existing NetFlow collector:

set netflow collector
      ip <IPv4 Address of Collector> port <Destination Port on Collector> export-format {Netflow_V5 | Netflow_V9 | IPFIX} [srcaddr <Source IPv4 Address>] enable {yes | no}
      for-ip <IPv4 Address of Collector>
            ip <IPv4 Address of Collector> port <Destination Port on Collector> export-format {Netflow_V5 | Netflow_V9 | IPFIX} [srcaddr <Source IPv4 Address>] enable {yes | no}
            for-port <Destination Port on Collector> ip <IPv4 Address of Collector> port <Destination Port on Collector> export-format {Netflow_V5 | Netflow_V9 | IPFIX} [srcaddr <Source IPv4 Address>] enable {yes | no}

To configure for which traffic the NetFlow exports its records:

set netflow fwrule {1 | 0}

To show the configured NetFlow collectors:

show netflow
      all
      collector
            enable
            export-format
            ip
            port
            srcaddr
            for-ip <IPv4 Address of Collector>
                  enable
                  export-format
                  port
                  srcaddr
                  for-port <Destination Port on Collector>
                        enable
                        export-format
                        srcaddr

To show for which traffic the NetFlow exports its records:

show netflow fwrule

To delete a configured NetFlow collector:

delete netflow collector for-ip <IPv4 Address of Collector> [for-port <Destination Port on Collector>

CLI Parameters

Parameter

Description

ip <IPv4 Address of Collector>

Specifies the destination IPv4 address of the NetFlow Collector, to which Gaia sends the NetFlow packets.

This parameter is mandatory.

port <Destination Port on Collector>

Specifies the destination UDP port number on the NetFlow Collector, on which the collector listens.

This parameter is mandatory.

There is no default or standard port number for NetFlow.

srcaddr <Source IPv4 Address>

Optional: Specifies the source IPv4 address of the NetFlow packets.

This must be an IPv4 address of the local host.

The default is an IPv4 address of the network interface, from which Gaia sends the NetFlow packets.

We recommend the default.

export-format {Netflow_V5 | Netflow_V9 | IPFIX}

The NetFlow protocol version to use:

Netflow_V5 - Protocol NetFlow v5
Netflow_V9 - Protocol NetFlow v9 (default)
IPFIX - Known as protocol "NetFlow v10"

Each NetFlow protocol version has a different packet format.

for-ip <IPv4 Address of Collector>

for-port <Destination Port on Collector>

These parameters specify the configured NetFlow Collector.

Notes:

If you configured only one collector, it is not necessary to use these parameters.
If you configured two or three collectors with different IP addresses, use the "for-ip" parameter.
If you configured two or three collectors with the same IP address and different UDP ports, you must use the "for-ip" and "for-port" parameters to identify the collectors.

set netflow fwrule {1 | 0}

Specifies for which traffic to enable the NetFlow export:

Scenario

Instructions

You performed a Clean Install of R81

By default (value 0) the NetFlow export is enabled for traffic accepted by all Access Control rules.

You can configure the value 1 to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.

Important - If you configure the value 1, you must configure the applicable Access Control rules in SmartConsole.

You upgraded to R81 from R80.40 or lower version

You must:

Configure the value 0 in Gaia Clish.
Configure the applicable Access Control rules with the Track option Log and Accounting in SmartConsole.

show netflow fwrule

Shows for which traffic the NetFlow exports its records:

1

The NetFlow export is enabled only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.
0

The NetFlow export is enabled for traffic accepted by all Access Control rules.