Solved

Seeing Netflow data through Orion from inside firewall

Posted on 2010-09-21
10
444 Views
Last Modified: 2012-05-10
Hi all.  I am rather inexperienced Orion/Netflow user.  I downloaded the trial version and installed the full suite on a desktop placed outside our firewall.  I collected Netflow data (v.5) just fine.  However, the goal is to collect it from inside our network before the firewall.  The firewall is many-to-one NATting everything.  This seems to be the only difference.  I had the checkpoint firewall ports opened 2055 and 9996 (I believe), 161, etc.  I can add the device but it still shows "down".  It shows the router (a Cisco 2821) as being a netflow source, and my router is indeed configured and set up to send to the collector.  

What is happening?  I have searched for days and cant' seem to find the answer.  I even changed to version 9 on the router to see if that would help (I heard v9 is configured to work with NAT)....

Any help would be appreciated
0
Comment
Question by:chaviscm
  • 5
  • 5
10 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 33733206
O.K. to make sure we understand you have something like:


 |---------|            | ------------------|          |-------|
 | Orion | <-----> | Chk. Point FW | <--> | 2821|
 |--------|             |-------------------|          |------ |

O.K. Netflow does not need 161, but if you want Orion to collect SNMP stats it does.   Are you collecting SNMP stats?

Have you allowed ICMP (ping) through the firewall?
0
 

Author Comment

by:chaviscm
ID: 33734353
I am collecting SNMP stats.  However, ICMP is not allowed through the firewall.  I just received another suggestion that I need to make my destination port he firewall.  I am afraid right now to try that because I am thinking it will make my firewall port a monitor port and might inhibit traffic.  
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 33734440
Do you see the NetFlow data?

Is your only worry that Orion says the node is down?  Orion tells if the node is down via ICMP.  So, if ICMP is now allowed, Orion will always say the node is down.
0
 

Author Comment

by:chaviscm
ID: 33734499
Cool.  Makes sense the ICMP -- which is currently not allowed.  I guess I am not worried about as much as I am worried about not being able to see Netflow data
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 33734572
O.K. for NetFlow you need to make sure you have the ACL correctly setup.  NetFlow originates from 2821.

So you either need to setup a one-to-one NAT for the system and Orion is running on, or you need to setup port forwarding, so when the Juniper receives traffic with the destination port of 2055 it forwards it to port 2055 on the Orion box.

What are  you using 9996 for?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:chaviscm
ID: 33734865
Well, I am currently not using 9996.  It was the netflow port previously configured for one of our older Orion boxes --- didn't set it up - so not sure why.   I am sorry for the confusion.  

O.k., I think the ACL's aren't a problem because I had it set up outside the firewall and all worked well.  So I ruled out the ACL's on the 2821.  However, I can't see our checkpoint firewall.  That is part of the problem.  I know right now they are not set up to do any port forwarding.  

So, you think if I set my destination port for netflow to the port that connects to the firewall that traffic would not be inhibited?  I would ilke to try this and them have the firewall guys do the port forwarding.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33735113
When I said ACL, I was being generic meaning any/all filters setup anyplace.  However I did get confused and I though you had Juniper firewalls.

Since the Checkpoint FW sits between Orion and the 2821, then it must be configured to allow the 2821 to initiate data transfer to Orion.
0
 

Author Comment

by:chaviscm
ID: 33735539
o.k.  Have you any experience with setting up the destination ports within netflow?  I am really concerned about that portion.  So if I set up netflow destination as the gigabitethernet0/0 which connects indirectly to the firewall, would that impact my traffic?

Interface Gigaitethernet0/0 ---> internet switch ----> checkpoint firewall

So my config would look like this

interface GigabitEthernet0/0
 description Link connecting to the firewall interface
<other info omitted>
!
!
ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination gigabitethernet0/0



0
 

Author Comment

by:chaviscm
ID: 33735736
Oops I just realized I made an error in last part of the config.....  it should have read


ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination <IP of Outside address of FW> 2055


0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 33736293
If you do:

--> ip flow-export destination <IP of Outside address of FW> 2055

Then checkpoint needs to be setup so that it does port forwarding for 2055 to the IP address of Orion.  It should be the same setup as you have for SNMP (161).
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now