CheckPoint Firewall NetFlow Configuration

    CheckPoint IPSO 6.1 introduces support for NetFlow services, which you can use to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network “flows.” A flow is a unidirectional stream of packets that share a given set of characteristics. Click Configuration >Traffic Management > NetFlow to access the NetFlow Configuration page on the UI of Check Point. IPSO exports information about flows in flow records. To gather and analyze flow records, you must export them to NetFlow Analyzer.

    You can also configure the Check Point Devices through CLI for NetFlow export:

    • active-timeout seconds // Specifies the number of seconds after which IPSO should export a record for a flow when the flow is still active.
    • collector ip ip_address port port_number //Specifies the IP address and port number of the NetFlow collector.
    • enable-acl <on | off> // Enables or disables ACL metering mode. If you use this mode, you define flows by configuring ACL rules. All the traffic that matches a rule is exported in one flow record.
    • enable-flows <on | off> //Enables or disables flow metering mode. If you use this mode, a flow is any sequence of packets that share
      • Source and destination IP addresses
      • Source and destination port numbers
    • IPSO exports information about IP protocol flows as an individual flow record which may cause a high flow rate. But NetFlow Analyzer is designed to handle around 10,000 flows per second when installed on a dedicated server that meets the recommended specifications.
    • export-format <NetFlow_V5 | Netflow_V9 | None> // Specifies the format of the export flow records. Both these formats are supported by NetFlow Analyzer.
    • inactive-timeout seconds // Specifies the number of seconds to wait while a flow is inactive (no traffic) but has not been terminated. If the specified number of seconds elapses, IPSO exports a record for the flow.
    • srcaddr ip_address // Specifies the source (local) IP address to be used in export records.

    Recommended example NetFlow configuration to work with NetFlow Analyzer is as below:

    • active-timeout 60
    • collector ip 192.168.1.1 port 9996
    • enable-acl on
    • enable-flows on
    • export-format V5
    • inactive-timeout 15
    • srcaddr Lan Interface IP address of firewall