Do not miss Netflow capability of Check Point Gaia R77 and above

Do not miss Netflow capability of Check Point Gaia R77 and above. In the past measuring the traffic passing through firewall wasn't easy - you had to either query interface counters via SNMP or run custom Bash scripts on the firewall itself to get interface statistics. The problem with both of the ways was that you didn't get exact results. And to get insight into what kind of packets are going through the firewall wasn't possible to do easily at all. Sure, you have always had SmartView Monitor dashboard to see real-time statistics, but you need a separate license for that. Finally, starting with R76 for regular firewall and R75.40VS for virtual one we have Netflow export capability available in Gaia OS. It supports Netflow version 5 and 9. I haven't tried version 9 but all common version 5 works as expected. Features and limitations:
- SecureXL (i.e. hardware acceleration) should be enabled for correct results (most of today's firewalls have it on anyway). - You can set up to 3 external collectors to receive Netflow data. Of course it means that the same Netflow packet will be sent 3 times, I don't see reason to do so. - You can specify source IP address for outgoing Netflow packets, the defult is IP of the interface where packets leave. - Do not forget to set Netflow version, as default is 9.

To configure and enable Netflow on Gaia clish (here I send Netflow to 192.168.13.77 port 2055, version 5) :

gateway1> add netflow collector ip 192.168.13.77 port 2055 export-format Netflow_V5
gateway1> save config

Vefiy:

gateway1> show netflow all
Address           Port    Format      Src Addr          Enable
192.168.13.77     2055    Netflow_V5                    yes

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.