This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
B_P
Advisor
‎2019-08-26 08:55 AM

R80.30 Netflow Setup

Pre R80.10 Netflow worked fine.

Now on R80.30 I have two flows that are identical -- but one only shows Outbound and the other only shows Inbound BUT -- and this is perplexing -- it is the exact same traffic for both inbound and outbound flows -- i.e. source and destination are the same.

Yes.. let that simmer for a while.

I have one rule that's configured on the firewall and it's a rule that a lot of web traffic hits on.

I'm using ManageEngine's Netflow Analyzer.

For this traffic, I would expect there should be one flow and it should include both inbound and outbound traffic on the one interface (the internal interface it's hitting).

0 Kudos
34 Replies
Ilya_Yusupov
Employee
Employee
‎2019-08-26 11:49 PM

Hi,

 

Is your rule contain Accounting? if not please add it and re-check since in R80.30 to see netflow you need to enable accounting on the rule.

 

Thansk,

Ilya 

0 Kudos
B_P
Advisor
‎2019-08-27 07:44 AM
In response to Ilya_Yusupov

@Ilya_Yusupov -- would I be receiving any netflows if it did not already include accounting?
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-08-27 07:59 AM
In response to B_P

Depends on your RB, might be you have APPI layer which Accounting is enabled so you are getting info on this one.

0 Kudos
B_P
Advisor
‎2019-08-27 08:18 AM
In response to Ilya_Yusupov

No, we have one unified policy (layered).

B_P
Advisor
‎2019-08-30 12:26 PM

bump

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-08-30 09:21 PM
In response to B_P

Is the traffic NATED? i tried to see in my lab if i replicate the issue, currently without any success.

 

 

B_P
Advisor
‎2019-08-31 09:53 AM
In response to Ilya_Yusupov

Yes, it is NAT'd.. outbound.

0 Kudos
Steve_Payne1
Contributor
‎2019-11-20 02:01 AM
In response to B_P

so i have netflow issues with r80.30  too

i had all interfaces showing with netflow on my netflow box.,  now im on r80.30  i didnt get anything,

 

so enabled accounting on a few rules that are logging, but now on my netflow box the MGMT port is the only port showing netflow, but i get 1 or 2 packets.  checked firewalls between and get the odd packet come through,

 

so annoying!.

Ilya_Yusupov
Employee
Employee
‎2019-11-23 11:29 PM
In response to Steve_Payne1

Hi,

 

There are several issues that we identify in Netflow in R80.30, the outbound issue was found and RnD working on the fix

so once we validate the fix we will push it to our next JHF, if you wish to get the fix before the JHF please open a ticket and share it with me.

 

Regarding the VRRP issue, there is a general issue with accounting in VRRP topology so we are working with RnD also to identify the RCA and fix it, once we will have a fix we will push it as well to our next JHF, this explain why Netflow is not working on VRRP as there is no accounting.

 

i will update once all the above will be fixed.

 

Thanks,

Ilya 

Steve_Payne1
Contributor
‎2019-11-25 01:00 AM
In response to Ilya_Yusupov

thanks for the update on VRRP

 

will await an update on this

 

 

B_P
Advisor
‎2019-11-25 06:57 AM
In response to Ilya_Yusupov

Thanks for the update. Looking forward to the fix and getting Netflow working again.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-12-08 01:26 AM
In response to B_P

we have a fixes for Netflow issues, we are pushing them to be included to next JHF's meanwhile if you want to get them immediately you can open TAC case for a port fix.

 

Thanks,

Ilya   

Steve_Payne1
Contributor
‎2019-12-09 12:27 AM
In response to Ilya_Yusupov

as i have a case open, do i  get this?

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-12-09 01:40 AM
In response to Steve_Payne1

@Steve_Payne1  - I will try to push those fixes together with the VRRP fix in your case.

Steve_Payne1
Contributor
‎2020-01-08 06:52 AM
In response to Ilya_Yusupov

is there any news on this fix?

Ilya_Yusupov
Employee
Employee
‎2020-01-08 07:17 AM
In response to Steve_Payne1

Not included in JHF yet but the fixes exist, if you need it immediately please open TAC case and we will port it.

 

i'm pushing it to get them into a JHF. 

Roger_Norton
Participant
‎2020-03-30 09:01 AM
In response to Ilya_Yusupov

Has the JHF now been published?
EspenH
Participant
‎2020-04-28 06:21 AM
In response to Roger_Norton

Any news about this?

Ilya_Yusupov
Employee
Employee
‎2020-04-28 12:29 PM
In response to EspenH

Hi,

 

There is on-going R80.30 JHF 195 which include the fixes.

 

Thanks,

Ilya 

Steve_Payne1
Contributor
‎2020-04-29 01:50 AM
In response to Ilya_Yusupov

hi, good news, when is that being released?
0 Kudos
B_P
Advisor
‎2020-07-13 08:45 AM
In response to Ilya_Yusupov

I'm on R80.40 JHF Take 48 and am still seeing multiple interfaces with nearly identical traffic. Inbound/outbound is still messed up.

0 Kudos
Steve_Payne1
Contributor
‎2020-08-19 01:38 AM
In response to Ilya_Yusupov

any news on the fix,  the JHF didnt fix it, so netflow still doesnt work with r80.30 and VRRP

TestAccount
Explorer
‎2020-08-10 03:09 AM

Hi.

Any updates? We have same issue...

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-08-20 05:45 AM
In response to TestAccount

hi @TestAccount ,

 

The issue is not in Netflow as all fixes already included in JHF but there was an issue in accounting log in VRRP which fixed in JHF 210.

0 Kudos
B_P
Advisor
‎2020-08-20 07:17 AM
In response to Ilya_Yusupov

@Ilya_Yusupov, sk159432 does not describe the issue I am experiencing.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-08-20 07:21 AM
In response to B_P

@B_P ,

 

what is the issue you experiencing? 

0 Kudos
B_P
Advisor
‎2020-08-20 07:24 AM
In response to Ilya_Yusupov

Please see the original post, thanks.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-08-20 07:27 AM
In response to B_P

@B_P ,

 

But this was fixed and integrated to JHF, are you saying you still see an issue?

if yes can you share JHF that you are using?

 

My answer was to @TestAccount  as i understand in his case Netflow is not working at all which may indicate to issue in the SK.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top