Solved

Seeing Netflow data through Orion from inside firewall

Posted on 2010-09-21
10
450 Views
Last Modified: 2012-05-10
Hi all.  I am rather inexperienced Orion/Netflow user.  I downloaded the trial version and installed the full suite on a desktop placed outside our firewall.  I collected Netflow data (v.5) just fine.  However, the goal is to collect it from inside our network before the firewall.  The firewall is many-to-one NATting everything.  This seems to be the only difference.  I had the checkpoint firewall ports opened 2055 and 9996 (I believe), 161, etc.  I can add the device but it still shows "down".  It shows the router (a Cisco 2821) as being a netflow source, and my router is indeed configured and set up to send to the collector.  

What is happening?  I have searched for days and cant' seem to find the answer.  I even changed to version 9 on the router to see if that would help (I heard v9 is configured to work with NAT)....

Any help would be appreciated
0
Comment
Question by:chaviscm
  • 5
  • 5
10 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 33733206
O.K. to make sure we understand you have something like:


 |---------|            | ------------------|          |-------|
 | Orion | <-----> | Chk. Point FW | <--> | 2821|
 |--------|             |-------------------|          |------ |

O.K. Netflow does not need 161, but if you want Orion to collect SNMP stats it does.   Are you collecting SNMP stats?

Have you allowed ICMP (ping) through the firewall?
0
 

Author Comment

by:chaviscm
ID: 33734353
I am collecting SNMP stats.  However, ICMP is not allowed through the firewall.  I just received another suggestion that I need to make my destination port he firewall.  I am afraid right now to try that because I am thinking it will make my firewall port a monitor port and might inhibit traffic.  
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 33734440
Do you see the NetFlow data?

Is your only worry that Orion says the node is down?  Orion tells if the node is down via ICMP.  So, if ICMP is now allowed, Orion will always say the node is down.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:chaviscm
ID: 33734499
Cool.  Makes sense the ICMP -- which is currently not allowed.  I guess I am not worried about as much as I am worried about not being able to see Netflow data
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 33734572
O.K. for NetFlow you need to make sure you have the ACL correctly setup.  NetFlow originates from 2821.

So you either need to setup a one-to-one NAT for the system and Orion is running on, or you need to setup port forwarding, so when the Juniper receives traffic with the destination port of 2055 it forwards it to port 2055 on the Orion box.

What are  you using 9996 for?
0
 

Author Comment

by:chaviscm
ID: 33734865
Well, I am currently not using 9996.  It was the netflow port previously configured for one of our older Orion boxes --- didn't set it up - so not sure why.   I am sorry for the confusion.  

O.k., I think the ACL's aren't a problem because I had it set up outside the firewall and all worked well.  So I ruled out the ACL's on the 2821.  However, I can't see our checkpoint firewall.  That is part of the problem.  I know right now they are not set up to do any port forwarding.  

So, you think if I set my destination port for netflow to the port that connects to the firewall that traffic would not be inhibited?  I would ilke to try this and them have the firewall guys do the port forwarding.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33735113
When I said ACL, I was being generic meaning any/all filters setup anyplace.  However I did get confused and I though you had Juniper firewalls.

Since the Checkpoint FW sits between Orion and the 2821, then it must be configured to allow the 2821 to initiate data transfer to Orion.
0
 

Author Comment

by:chaviscm
ID: 33735539
o.k.  Have you any experience with setting up the destination ports within netflow?  I am really concerned about that portion.  So if I set up netflow destination as the gigabitethernet0/0 which connects indirectly to the firewall, would that impact my traffic?

Interface Gigaitethernet0/0 ---> internet switch ----> checkpoint firewall

So my config would look like this

interface GigabitEthernet0/0
 description Link connecting to the firewall interface
<other info omitted>
!
!
ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination gigabitethernet0/0



0
 

Author Comment

by:chaviscm
ID: 33735736
Oops I just realized I made an error in last part of the config.....  it should have read


ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination <IP of Outside address of FW> 2055


0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 33736293
If you do:

--> ip flow-export destination <IP of Outside address of FW> 2055

Then checkpoint needs to be setup so that it does port forwarding for 2055 to the IP address of Orion.  It should be the same setup as you have for SNMP (161).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
adding a printer to QAD 10 68
f5 Persistence 14 53
Cisco WAP POE power 28 81
DNS Server 7 27
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question