Scrutinizer

1
Scrutinizer Firewalls

• A basic overview to help first time NetFlow users.

2
Over View

• This document has been created to help customers
  and evaluators understand how NetFlow data in
  Scrutinizer should be read when dealing with a
  fire wall that is masquerading IP addresses.
• What port to open up if necessary.

3
The FireWall and NetFlow
Internet
NetFlow Router
Viewing Data On An External Router behind a
firewall When viewing the NetFlow data in
Scrutinizer, the FireWall will likely show up on
all interfaces of the router. The reason for
this is because everyone leaving the LAN for the
Internet or for a host on the DMZ has their IP
address masqueraded by the FireWall. In other
words, the FireWall replaces the original end
system IP address with its own IP. The NetFlow
router by default will send the NetFlow on UDP
port 2055.
No NetFlow Active
Another Network
FireWall
Switch for DMZ
Switch
End Systems Plug in here 10.1.1.X
4
The FireWall and NetFlow
Internet
Int 7
NetFlow Router
No NetFlow Active
Another Network
Int 2
More on IP Masquerading The FireWall replaces
all the original end system IP addresses (e.g.
10.1.1.X) with its own IP (216.204.147.5).
Scrutinizer must receive NetFlow from an
internal router/switch to display individual end
system traffic.
Int 3
216.204.147.5 Shared by both
FireWall
Switch for DMZ
10.1.1.254
Switch
NetFlow Data from 3 Interfaces
End Systems Plug in here 10.1.1.X
5
The FireWall and NetFlow
NetFlow Router
View End System Traffic via an Internal NetFlow
capable switch/router. Once Scrutinizer starts
receiving a NetFlow from an internal
router/switch, the IPs are no longer masqueraded
by the FireWall. Scrutinizer will display the
top internal (i.e. 10.1.1.X) end systems causing
traffic per interface.
FireWall
Switch for DMZ
10.1.1.6
Switch
NetFlow Data from 11 Interfaces
End Systems Plug in here 10.1.1.X
6
Need Help?

• If you are having trouble understanding your
  data, contact your distributor.
• http//www.plixer.com/partners/worldwide_distribut
  ors.php