ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
15
Helpful
5
Replies
Highlighted
Contributor

Check Point firewall Netflow v9 to Stealthwatch?

I'm trying to setup netflow export on my Check Point firewall to my Stealthwatch flow collector, but it seems that the data isn't being accepted because the exported records are missing the mandatory "ipv4 tos" key value.  I used https://configurenetflow.info/?Platform=CheckPoint+Firewall for basic guidance, and flows are being exported, just not with all the mandatory key values for Stealthwatch.  Anyone have this working who can share how to make the necessary changes on the exporter side?

5 REPLIES 5
Highlighted
Cisco Employee

Re: Check Point firewall Netflow v9 to Stealthwatch?

Highlighted
Contributor

Re: Check Point firewall Netflow v9 to Stealthwatch?

Thanks for the attempt, but those links just show how to turn on NetFlow. The essence of my question has to do with the fact that AFTER successfully turning it on, I found that the flow template they're using is incompatible with Stealthwatch. Is there any way to modify the flow template on the Check Point firewall? So far, their Diamond support team doesn't think so. If I can't modify the flow template being used, can I set default values on Stealthwatch to override the missing mandatory key fields (ipv4 tos & input interface)? Any other ideas?
Highlighted
Cisco Employee

Re: Check Point firewall Netflow v9 to Stealthwatch?

It means CP doesn’t support native NetFlow. FlowCollector side just accept normal NetFlow. So, probably CP support team can answer right configuration to cover native NetFlow generating command or settings.

 

Below link tells you about normal format of NetFlow.

 

https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

 

 

Highlighted
Cisco Employee

Re: Check Point firewall Netflow v9 to Stealthwatch?

Oh, I miss understand your questions, sorry.

 

The NetFlow generating from Checkpoint has missing data like as Type of Service and input interface, right?

I checked Checkpoint manual but there is no special option for these, just turn on/off only. (only option is NetFlow V5/V9/IPFIX)

 

I'll check Cisco's internal resources and past case, and post information if I find something for this.

And any chance to change export format to IPFIX? On R80 OS, it added IPFIX and it may be different results.

 

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/207090

Highlighted
Cisco Employee

Re: Check Point firewall Netflow v9 to Stealthwatch?

Updates for this issue.

 

I found old TAC case and it tells only below field are send from CheckPoint NetFlow V9:

Source IP address
Destination IP address
Source port
Destination port
Ingress physical interface index (defined by SNMP)
Egress physical interface index (defined by SNMP)
Packet count for this flow
Byte count for this flow
Start of flow timestamp (FIRST_SWITCHED)
End of flow timestamp (LAST_SWITCHED)
IP protocol number
TCP flags from the flow (TCP only)

 

So if you can't see these values in SWE, it means there is SWE side bug and in this case please open Cisco TAC case with PCAP file. TAC team will analyze/fix it. If you need another data and it doesn't include the above list, please contact Checkpoint to enhance NetFlow Field.

 

I hope this is help.