Seeing Netflow data through Orion from inside firewall
Hi all. I am rather inexperienced Orion/Netflow user. I downloaded the trial version and installed the full suite on a desktop placed outside our firewall. I collected Netflow data (v.5) just fine. However, the goal is to collect it from inside our network before the firewall. The firewall is many-to-one NATting everything. This seems to be the only difference. I had the checkpoint firewall ports opened 2055 and 9996 (I believe), 161, etc. I can add the device but it still shows "down". It shows the router (a Cisco 2821) as being a netflow source, and my router is indeed configured and set up to send to the collector.
What is happening? I have searched for days and cant' seem to find the answer. I even changed to version 9 on the router to see if that would help (I heard v9 is configured to work with NAT)....
Any help would be appreciated
What is happening? I have searched for days and cant' seem to find the answer. I even changed to version 9 on the router to see if that would help (I heard v9 is configured to work with NAT)....
Any help would be appreciated
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cool. Makes sense the ICMP -- which is currently not allowed. I guess I am not worried about as much as I am worried about not being able to see Netflow data
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I am currently not using 9996. It was the netflow port previously configured for one of our older Orion boxes --- didn't set it up - so not sure why. I am sorry for the confusion.
O.k., I think the ACL's aren't a problem because I had it set up outside the firewall and all worked well. So I ruled out the ACL's on the 2821. However, I can't see our checkpoint firewall. That is part of the problem. I know right now they are not set up to do any port forwarding.
So, you think if I set my destination port for netflow to the port that connects to the firewall that traffic would not be inhibited? I would ilke to try this and them have the firewall guys do the port forwarding.
O.k., I think the ACL's aren't a problem because I had it set up outside the firewall and all worked well. So I ruled out the ACL's on the 2821. However, I can't see our checkpoint firewall. That is part of the problem. I know right now they are not set up to do any port forwarding.
So, you think if I set my destination port for netflow to the port that connects to the firewall that traffic would not be inhibited? I would ilke to try this and them have the firewall guys do the port forwarding.
When I said ACL, I was being generic meaning any/all filters setup anyplace. However I did get confused and I though you had Juniper firewalls.
Since the Checkpoint FW sits between Orion and the 2821, then it must be configured to allow the 2821 to initiate data transfer to Orion.
Since the Checkpoint FW sits between Orion and the 2821, then it must be configured to allow the 2821 to initiate data transfer to Orion.
ASKER
o.k. Have you any experience with setting up the destination ports within netflow? I am really concerned about that portion. So if I set up netflow destination as the gigabitethernet0/0 which connects indirectly to the firewall, would that impact my traffic?
Interface Gigaitethernet0/0 ---> internet switch ----> checkpoint firewall
So my config would look like this
interface GigabitEthernet0/0
description Link connecting to the firewall interface
<other info omitted>
!
!
ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination gigabitethernet0/0
Interface Gigaitethernet0/0 ---> internet switch ----> checkpoint firewall
So my config would look like this
interface GigabitEthernet0/0
description Link connecting to the firewall interface
<other info omitted>
!
!
ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination gigabitethernet0/0
ASKER
Oops I just realized I made an error in last part of the config..... it should have read
ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination <IP of Outside address of FW> 2055
ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination <IP of Outside address of FW> 2055
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER