Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2928
Views
20
Helpful
5
Replies

Check Point firewall Netflow v9 to Stealthwatch?

DAVID YARASHUS
Level 5
Level 5

‎01-21-2020 01:36 PM

I'm trying to setup netflow export on my Check Point firewall to my Stealthwatch flow collector, but it seems that the data isn't being accepted because the exported records are missing the mandatory "ipv4 tos" key value.  I used https://configurenetflow.info/?Platform=CheckPoint+Firewall for basic guidance, and flows are being exported, just not with all the mandatory key values for Stealthwatch.  Anyone have this working who can share how to make the necessary changes on the exporter side?

Labels:
0 Helpful
5 Replies 5

DAVID YARASHUS
Level 5
Level 5
In response to kyoshiik

‎01-23-2020 11:20 AM

Thanks for the attempt, but those links just show how to turn on NetFlow. The essence of my question has to do with the fact that AFTER successfully turning it on, I found that the flow template they're using is incompatible with Stealthwatch. Is there any way to modify the flow template on the Check Point firewall? So far, their Diamond support team doesn't think so. If I can't modify the flow template being used, can I set default values on Stealthwatch to override the missing mandatory key fields (ipv4 tos & input interface)? Any other ideas?

kyoshiik
Cisco Employee
Cisco Employee
In response to DAVID YARASHUS

‎01-23-2020 09:18 PM

It means CP doesn’t support native NetFlow. FlowCollector side just accept normal NetFlow. So, probably CP support team can answer right configuration to cover native NetFlow generating command or settings.

 

Below link tells you about normal format of NetFlow.

 

https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

 

 

kyoshiik
Cisco Employee
Cisco Employee
In response to DAVID YARASHUS

‎01-26-2020 03:37 PM

Oh, I miss understand your questions, sorry.

 

The NetFlow generating from Checkpoint has missing data like as Type of Service and input interface, right?

I checked Checkpoint manual but there is no special option for these, just turn on/off only. (only option is NetFlow V5/V9/IPFIX)

 

I'll check Cisco's internal resources and past case, and post information if I find something for this.

And any chance to change export format to IPFIX? On R80 OS, it added IPFIX and it may be different results.

 

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/207090

0 Helpful

kyoshiik
Cisco Employee
Cisco Employee
In response to kyoshiik

‎01-27-2020 05:26 AM

Updates for this issue.

 

I found old TAC case and it tells only below field are send from CheckPoint NetFlow V9:

Source IP address
Destination IP address
Source port
Destination port
Ingress physical interface index (defined by SNMP)
Egress physical interface index (defined by SNMP)
Packet count for this flow
Byte count for this flow
Start of flow timestamp (FIRST_SWITCHED)
End of flow timestamp (LAST_SWITCHED)
IP protocol number
TCP flags from the flow (TCP only)

 

So if you can't see these values in SWE, it means there is SWE side bug and in this case please open Cisco TAC case with PCAP file. TAC team will analyze/fix it. If you need another data and it doesn't include the above list, please contact Checkpoint to enhance NetFlow Field.

 

I hope this is help.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents