Check Point firewall Netflow v9 to Stealthwatch?

DAVID YARASHUS · ‎01-21-2020

I'm trying to setup netflow export on my Check Point firewall to my Stealthwatch flow collector, but it seems that the data isn't being accepted because the exported records are missing the mandatory "ipv4 tos" key value. I used https://configurenetflow.info/?Platform=CheckPoint+Firewall for basic guidance, and flows are being exported, just not with all the mandatory key values for Stealthwatch. Anyone have this working who can share how to make the necessary changes on the exporter side?

kyoshiik · ‎01-23-2020

It's not an official page. Please check below Checkpoint official page and it tells you the right configuration.

https://community.checkpoint.com/t5/Logging-and-Reporting/Netflow-configuration/td-p/18620

https://sc1.checkpoint.com/documents/R77.20.70_600_700_1100_1200R_1400_CLI_Reference_Guide/html_frameset.htm?topic=documents/R77.20.70_600_700_1100_1200R_1400_CLI_Reference_Guide/index

DAVID YARASHUS · ‎01-23-2020

Thanks for the attempt, but those links just show how to turn on NetFlow. The essence of my question has to do with the fact that AFTER successfully turning it on, I found that the flow template they're using is incompatible with Stealthwatch. Is there any way to modify the flow template on the Check Point firewall? So far, their Diamond support team doesn't think so. If I can't modify the flow template being used, can I set default values on Stealthwatch to override the missing mandatory key fields (ipv4 tos & input interface)? Any other ideas?

kyoshiik · ‎01-23-2020

It means CP doesn’t support native NetFlow. FlowCollector side just accept normal NetFlow. So, probably CP support team can answer right configuration to cover native NetFlow generating command or settings.

Below link tells you about normal format of NetFlow.

https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

kyoshiik · ‎01-26-2020

Oh, I miss understand your questions, sorry.

The NetFlow generating from Checkpoint has missing data like as Type of Service and input interface, right?

I checked Checkpoint manual but there is no special option for these, just turn on/off only. (only option is NetFlow V5/V9/IPFIX)

I'll check Cisco's internal resources and past case, and post information if I find something for this.

And any chance to change export format to IPFIX? On R80 OS, it added IPFIX and it may be different results.

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/207090

kyoshiik · ‎01-27-2020

Updates for this issue.

I found old TAC case and it tells only below field are send from CheckPoint NetFlow V9:

Source IP address
Destination IP address
Source port
Destination port
Ingress physical interface index (defined by SNMP)
Egress physical interface index (defined by SNMP)
Packet count for this flow
Byte count for this flow
Start of flow timestamp (FIRST_SWITCHED)
End of flow timestamp (LAST_SWITCHED)
IP protocol number
TCP flags from the flow (TCP only)

So if you can't see these values in SWE, it means there is SWE side bug and in this case please open Cisco TAC case with PCAP file. TAC team will analyze/fix it. If you need another data and it doesn't include the above list, please contact Checkpoint to enhance NetFlow Field.

I hope this is help.