Monitor traffic on my Check Point

[Huisje]

Hi,

I am trying to find a way to be able to track the traffic that flows through my Check Point firewall in a way that is similar to what netflow packets would show me.

The CP's logfiles only seem to keep track of connections which does not give an accurate view of the actual traffic generated, since 1 connection can be responsible for a lot of traffic while many other for very little.

The goal would be that in the end I am able to distinguish the biggest talkers be it by source or by service or by destination.

I am already monitoring the WAN router to which my CP connects and the information I get from it via netflow is very helpful in determining who is using the link and why. The problem is that on the CP I have a) VPN's configured b) NAT configured.
So all VPN traffic is seen by the WAN router as ESP traffic, and I obviously cannot look inside the packets to get other info out of it.
The NAT'ing isn't that big of a problem, because if I find a big talker on the WAN device for example using TCP 21 to a given destination, I can find the real host that accessed that destination in the CP log because the connection in question will be in there.

But in the end, it would be nice if I could have some way to get all of this from the CP. I already tried playing with fw monitor to do this, but I cannot seem to make it not save the payload of the packet when I write to a logfile (so the file gets too big). The idea I had was to have fw monitor log the traffic just as netflow would and I could then use my monitoring host to do things with that information. Problem I am having is that a) when I reinstall a policy fw monitor stops working, so it has to be restarted b) I am surely going to loose information when I stop & restart fw monitor to switch to a new logfile, making the information unreliable.

I was wondering if anyone had any thoughts/ideas on this?

Thanks & regards,

Kevin

[ddarby1]

Kevin,

I'm not an expert, but a few things I could suggest are: the 'fw monitor -l len' command to limit the length of the captured packet, ommiting large payloads.

However, this doesn't necessarily address some of the other problems you've mentioned.

Have you played around with SmartView Monitor, it's pretty good at retrieving traffic usage details.

Otherwise, I've found Eventia Reporter an easy way of producing comprehensive and historic reports on trends, usage, etc. Perhaps you could try evaluating it?

[Peter]

You need FloodGate to monitor and manage you bandwith. SmartMonitor license is normally included in FloodGate license. You can create bandwith rules of the same structure like your firewall rules (source, destination, service) and you can put the priorities and limits for the rules. Also, you can monitor your rules in real-time using SmartMonitor.

[Huisje]

ddarby1,
Thanks for your reply.
I played with 'fw monitor -l len' before, but you can't combine that with the '-o <file>' option. With -o it writes the raw data to a file and you can handle this pretty nicely with network analyzers like ethereal. But it's just not workable to store this info with the packet's full payload in there.

I haven't played arround with Smartview Monitor yet no, it complains I don't have a license for it.

I think I'll go with getting Smartview Monitor to work, especially after what Peter mentioned in his post (thanks btw Peter), that sounds exactly like what I want! If that fails, I might look into Eventia Reporter, thanks for the tip.

Is FloodGate a free license? Can I obtain it via the UserCenter or should I pass via a reseller? (I have no experience yet with CP licensing.)

kind regards,

Kevin

[chillyjim]

Have you tried to set the "track" option on your rules to "account"? That setting will keep track of usage (in bytes) per connection.

FloodGate is included with VPN-1 Pro licenses, but I don't think ou need this to monitor traffic, only to control trafic bandwidth (but don't hold me to that).

I've lost track of what does and does not include monitor these days but I do know that SmartCenter Pro does.

Check Point does not provide a netflow tracking of connection through your network, but please feel free to enter a request for enhancement for this ;)

If you want to look at any of these products, call your reseller and have them generate you a demo key.

-jlh

[Huisje]

Hello Jlh,

I haven't yet "really" played with the account option, I am going to look into it further now. I am very green when it comes to Check Point and when I looked into this a while ago it was mostly the VPN traffic I wanted to have the traffic information on, since all the rest I can monitor/analyse on my WAN device.
I inherited this CP from the previous administrator and the VPN's were set up with simplified mode and with the "accept all encrypted traffic" option checked.
What this meant was that a rule is automatically created allowing all traffic in both directions of the VPN in question. And you can only choose to put logging on or off as an option of the VPN community in question. To enable accounting you should change the track collumn in the rulebase to "account", but you're not allowed to do so with an automatically added rule. That's where my quest ended at that time.

But since I now know you can uncheck that "accept all encrypted traffic" and just define yourself in the rulebase what you want to allow over the tunnel, you can also choose to "account" those connections! So I'm definetely going to check this again.

Can anyone shed some light on this and confirm whether it is correct or not that Floodgate is to -control- traffic rather than -monitor-?

Thanks for all the help already!

With kind regards,

Kevin

[chillyjim]

Quote:

Originally Posted by Huisje

Can anyone shed some light on this and confirm whether it is correct or not that Floodgate is to -control- traffic rather than -monitor-?

Yes Floodgate is/was the Check Point QOS product...

Quote:

Originally Posted by http://www.checkpoint.com/products/floodgate-1/index.html

Traffic congestion on your network can be eliminated with FloodGate-1, a policy-based Quality of Service (QoS) solution for VPNs, private WANs, and Internet links. Flood-Gate 1 optimizes network performance by assigning priority to business-critical applications and end users. Employee productivity remains high, your business is properly supported, and online experiences are positive. FloodGate-1 can be deployed with VPN-1/FireWall-1 or act as a standalone solution.