Our last blog discussed about Firewalls with NetFlow or sFlow support and outlined the sFlow configuration to be done on FortiGate Firewall devices. Adding to this, below is the configuration for CheckPoint Firewall and SonicWall Device.
CheckPoint Firewall NetFlow Configuration:
CheckPoint IPSO 6.1 introduces support for NetFlow services, which you can use to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network “flows.” A flow is a unidirectional stream of packets that share a given set of characteristics. Click Configuration >Traffic Management > NetFlow to access the NetFlow Configuration page on the UI of Check Point. IPSO exports information about flows in flow records. To gather and analyze flow records, you must export them to a NetFlow Analyzer.
You can also configure the Check Point Devices through CLI for NetFlow export:
active-timeout seconds // Specifies the number of seconds after which IPSO should export a record for a flow when the flow is still active.
collector ip ip_address port port_number //Specifies the IP address and port number of the NetFlow collector.
enable-acl <on | off> //Enables or disables ACL metering mode. If you use this mode, you define flows by configuring ACL rules. All the traffic that matches a rule is exported in one flow record.
enable-flows <on | off> //Enables or disables flow metering mode. If you use this mode, a flow is any sequence of packets that share
• Source and destination IP addresses
• Source and destination port numbers
IPSO exports information about IP protocol flows as an individual flow record which may cause a high flow rate. But NetFlow Analyzer is designed to handle around 10,000 flows per second when installed on a dedicated server that meets the recommended specifications.
export-format <NetFlow_V5 | Netflow_V9 | None> // Specifies the format of the export flow records. Both these formats are supported by NetFlow Analyzer.
inactive-timeout seconds // Specifies the number of seconds to wait while a flow is inactive (no traffic) but has not been terminated. If the specified number of seconds elapses, IPSO exports a record for the flow.
srcaddr ip_address // Specifies the source (local) IP address to be used in export records.
Recommended example NetFlow configuration to work with NetFlow Analyzer is as below:
active-timeout 60
collector ip 192.168.1.1 port 9996
enable-acl on
enable-flows on
export-format V5
inactive-timeout 15
srcaddr Lan Interface IP address of firewall
SonicWall NetFlow Configuration:
SonicWall NSA E5500 with Firmware Version SonicOS Enhanced 5.6.4.0-36o supports flow format like (NetFlow v5, v9 and IPFIX). The flow export in Sonicwall is currently a beta version but then again is still a good start rather than having nothing at all. All the flow export version mentioned for SonicWall are supported by NetFlow Analyzer.
SonicWall Devices can be configured for NetFlow export through GUI. Login to Sonic Wall Device Console and click on Log –Flow Reporting to configure flow export. Enter the specific parameters and save them to start your flow export.
If you are already using NetFlow Analyzer, there is no configuration to be done on the product. Your NetFlow Analyzer is ready to support all these devices and all you need is to configure your firewall to export the supported flow format. If you have not yet tried NetFlow Analyzer, 5 minutes is all it takes to install. Download now from here.
Regards,
Praveen Kumar
NetFlow Analyzer Team
Download | Interactive Demo | Product overview video | Twitter | Customers|Bandwidth Monitoring | Network Security | CBQoSMonitoring |