https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206998#M39121 <P>K, did you confirm that collector is part of proper vpn enc domain?</P> <P>Andy</P> Fri, 23 Feb 2024 10:05:27 GMT the_rock 2024-02-23T10:05:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206773#M39054 <P>Hello,</P><P>I already configure the netflow on my checkpoint 5800 series and seem the netfow i working fine, i can see the checkpoint send the data to collector.</P><P>But when i check detailly why the netflow not send data if the destination located behind vpn site to site? I can see the checkpoint not send any data to our azure resource which using ipsec vpn site to site.</P><P>I do copy file from our onprem server to azure with private endpoint and capture the traffic using wireshark on collector server and found no data</P> Thu, 22 Feb 2024 04:00:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206773#M39054 handiansudianto 2024-02-22T04:00:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206775#M39055 <P>Is tunnel up? If yes, is this only thing thats failing?</P> <P>Andy</P> Thu, 22 Feb 2024 04:13:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206775#M39055 the_rock 2024-02-22T04:13:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206790#M39057 <P>yes of course the tunnel is up, i generate the traffic by copy file from onprem to azure and this will pass thru vpn tunnel.</P><P>es, i can see all traffic to the tunnel no log on netflow</P> Thu, 22 Feb 2024 05:27:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206790#M39057 handiansudianto 2024-02-22T05:27:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206830#M39067 <P>Wait...to make sure we are on the same page here...are you saying that netflow traffic is actually going through the tunnel but you siomply canNOT see the log for it or am I totally mistaken when I say that?</P> <P>Best,</P> <P>Andy</P> Thu, 22 Feb 2024 13:45:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206830#M39067 the_rock 2024-02-22T13:45:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206899#M39076 <P>One good command you can also do is below</P> <P>example, say src is 1.1.1.1, dst is 2.2.2.2, dst port is 4434...it would go src ip, scr port. dst ip, dst port, protocol</P> <P>fw monitor -F "1.1.1.1,0,2.2.2.2,4434,0" -F "2.2.2.2,0,1.1.1.1,4434,0"</P> <P>Best,</P> <P>Andy</P> Thu, 22 Feb 2024 18:51:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206899#M39076 the_rock 2024-02-22T18:51:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206946#M39104 <P>Hi..</P><P>We can see log on the checkpoint firewall but not see on the netflow collector.</P><P>&nbsp;</P> Fri, 23 Feb 2024 01:43:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206946#M39104 handiansudianto 2024-02-23T01:43:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206947#M39105 <P>The traffic is shown on the log, just on netflow collector the traffic is unseen by capturing using wireshark on the collector</P> Fri, 23 Feb 2024 01:44:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206947#M39105 handiansudianto 2024-02-23T01:44:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206948#M39106 <P>It might be simple fix as possibly restarting the collector...have you attempted so?</P> <P>Best,</P> <P>Andy</P> Fri, 23 Feb 2024 01:44:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206948#M39106 the_rock 2024-02-23T01:44:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206949#M39107 <P>Are you able to ping the fw from the collector itself?</P> <P>Best,</P> <P>Andy</P> Fri, 23 Feb 2024 01:45:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206949#M39107 the_rock 2024-02-23T01:45:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206951#M39108 <P>yes, actually the netflow is sending the data to the collector but i believe the netflow not send all traffic.</P><P>So i test by copy file from onprem to azure and the traffic not seen by collector, but if i test by browsing to the internet i can see the traffic on the collector.</P> Fri, 23 Feb 2024 01:50:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206951#M39108 handiansudianto 2024-02-23T01:50:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206952#M39109 <P>Only fails via vpn?</P> Fri, 23 Feb 2024 01:52:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206952#M39109 the_rock 2024-02-23T01:52:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206954#M39110 <P>Mostly yes, every day we have daily backup to azure and i not find this log on the collector. Usually on other firewall we can select netflow to be running on which interface, but i not see this on checkpoint. Are netflow on checkpoint will enabled on all interface including virtual interface like the tunnel?</P> Fri, 23 Feb 2024 02:02:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206954#M39110 handiansudianto 2024-02-23T02:02:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206956#M39111 <P>Well, what interface is it enabled on?</P> <P>Andy</P> Fri, 23 Feb 2024 02:04:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206956#M39111 the_rock 2024-02-23T02:04:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206957#M39112 <P>You can see on the pic we cant select on which interface will be enabled</P> Fri, 23 Feb 2024 02:07:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206957#M39112 handiansudianto 2024-02-23T02:07:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206961#M39113 <P>Apologies, its been some time since I did this, you are 100% right, just checked it in my lab. Sorry mate, not sure at this point, maybe better have TAC case open, might be worth remote session to check further.</P> <P>Best,</P> <P>Andy</P> Fri, 23 Feb 2024 02:30:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206961#M39113 the_rock 2024-02-23T02:30:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206962#M39114 <P>did you mean checkpoint netflow have some missing data or we can't selech on which interface netflow can be enabled?</P> Fri, 23 Feb 2024 02:34:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206962#M39114 handiansudianto 2024-02-23T02:34:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206963#M39115 <P>I dont believe there is missing data, looks right to me. No, you cant select the interface...k, silly ?, but did you make sure netflow collector is part of the enc domain?</P> <P>Andy</P> Fri, 23 Feb 2024 02:37:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206963#M39115 the_rock 2024-02-23T02:37:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206967#M39116 <P>You can also verify it via clish -&gt; show netflow and then tab for all the options</P> Fri, 23 Feb 2024 02:53:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206967#M39116 the_rock 2024-02-23T02:53:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206974#M39117 <P>Here the result</P><P>show netflow all</P><P><STRONG>Fw rule: No</STRONG><BR /><STRONG>Address Port Format Src Addr Enable</STRONG><BR /><STRONG>10.103.248.55 2055 IPFIX 10.103.253.10 yes</STRONG></P><P>show netflow collector</P><P><STRONG>Collector IP Address 10.103.248.55</STRONG><BR /><STRONG>Collector UDP Port 2055</STRONG><BR /><STRONG>Export Format IPFIX</STRONG><BR /><STRONG>Source Address 10.103.253.10</STRONG><BR /><STRONG>Enabled yes</STRONG></P><P>show netflow fwrule</P><P><STRONG>FW rule: No</STRONG></P> Fri, 23 Feb 2024 03:59:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206974#M39117 handiansudianto 2024-02-23T03:59:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206975#M39118 <P>Seems fine. Did you make sure collector is part of the end domain?</P> <P>Andy</P> Fri, 23 Feb 2024 04:02:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Netflow-IPSec/m-p/206975#M39118 the_rock 2024-02-23T04:02:36Z