Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 472
  • Last Modified:

Seeing Netflow data through Orion from inside firewall

Hi all.  I am rather inexperienced Orion/Netflow user.  I downloaded the trial version and installed the full suite on a desktop placed outside our firewall.  I collected Netflow data (v.5) just fine.  However, the goal is to collect it from inside our network before the firewall.  The firewall is many-to-one NATting everything.  This seems to be the only difference.  I had the checkpoint firewall ports opened 2055 and 9996 (I believe), 161, etc.  I can add the device but it still shows "down".  It shows the router (a Cisco 2821) as being a netflow source, and my router is indeed configured and set up to send to the collector.  

What is happening?  I have searched for days and cant' seem to find the answer.  I even changed to version 9 on the router to see if that would help (I heard v9 is configured to work with NAT)....

Any help would be appreciated
0
chaviscm
Asked:
chaviscm
  • 5
  • 5
4 Solutions
 
giltjrCommented:
O.K. to make sure we understand you have something like:


 |---------|            | ------------------|          |-------|
 | Orion | <-----> | Chk. Point FW | <--> | 2821|
 |--------|             |-------------------|          |------ |

O.K. Netflow does not need 161, but if you want Orion to collect SNMP stats it does.   Are you collecting SNMP stats?

Have you allowed ICMP (ping) through the firewall?
0
 
chaviscmAuthor Commented:
I am collecting SNMP stats.  However, ICMP is not allowed through the firewall.  I just received another suggestion that I need to make my destination port he firewall.  I am afraid right now to try that because I am thinking it will make my firewall port a monitor port and might inhibit traffic.  
0
 
giltjrCommented:
Do you see the NetFlow data?

Is your only worry that Orion says the node is down?  Orion tells if the node is down via ICMP.  So, if ICMP is now allowed, Orion will always say the node is down.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
chaviscmAuthor Commented:
Cool.  Makes sense the ICMP -- which is currently not allowed.  I guess I am not worried about as much as I am worried about not being able to see Netflow data
0
 
giltjrCommented:
O.K. for NetFlow you need to make sure you have the ACL correctly setup.  NetFlow originates from 2821.

So you either need to setup a one-to-one NAT for the system and Orion is running on, or you need to setup port forwarding, so when the Juniper receives traffic with the destination port of 2055 it forwards it to port 2055 on the Orion box.

What are  you using 9996 for?
0
 
chaviscmAuthor Commented:
Well, I am currently not using 9996.  It was the netflow port previously configured for one of our older Orion boxes --- didn't set it up - so not sure why.   I am sorry for the confusion.  

O.k., I think the ACL's aren't a problem because I had it set up outside the firewall and all worked well.  So I ruled out the ACL's on the 2821.  However, I can't see our checkpoint firewall.  That is part of the problem.  I know right now they are not set up to do any port forwarding.  

So, you think if I set my destination port for netflow to the port that connects to the firewall that traffic would not be inhibited?  I would ilke to try this and them have the firewall guys do the port forwarding.
0
 
giltjrCommented:
When I said ACL, I was being generic meaning any/all filters setup anyplace.  However I did get confused and I though you had Juniper firewalls.

Since the Checkpoint FW sits between Orion and the 2821, then it must be configured to allow the 2821 to initiate data transfer to Orion.
0
 
chaviscmAuthor Commented:
o.k.  Have you any experience with setting up the destination ports within netflow?  I am really concerned about that portion.  So if I set up netflow destination as the gigabitethernet0/0 which connects indirectly to the firewall, would that impact my traffic?

Interface Gigaitethernet0/0 ---> internet switch ----> checkpoint firewall

So my config would look like this

interface GigabitEthernet0/0
 description Link connecting to the firewall interface
<other info omitted>
!
!
ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination gigabitethernet0/0



0
 
chaviscmAuthor Commented:
Oops I just realized I made an error in last part of the config.....  it should have read


ip flow-cache timeout active 1
ip flow-export source Serial1/0
ip flow-export version 9
ip flow-export destination <IP of Outside address of FW> 2055


0
 
giltjrCommented:
If you do:

--> ip flow-export destination <IP of Outside address of FW> 2055

Then checkpoint needs to be setup so that it does port forwarding for 2055 to the IP address of Orion.  It should be the same setup as you have for SNMP (161).
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now