- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello,
I already configure the netflow on my checkpoint 5800 series and seem the netfow i working fine, i can see the checkpoint send the data to collector.
But when i check detailly why the netflow not send data if the destination located behind vpn site to site? I can see the checkpoint not send any data to our azure resource which using ipsec vpn site to site.
I do copy file from our onprem server to azure with private endpoint and capture the traffic using wireshark on collector server and found no data
Is tunnel up? If yes, is this only thing thats failing?
Andy
yes of course the tunnel is up, i generate the traffic by copy file from onprem to azure and this will pass thru vpn tunnel.
es, i can see all traffic to the tunnel no log on netflow
Wait...to make sure we are on the same page here...are you saying that netflow traffic is actually going through the tunnel but you siomply canNOT see the log for it or am I totally mistaken when I say that?
Best,
Andy
Hi..
We can see log on the checkpoint firewall but not see on the netflow collector.
It might be simple fix as possibly restarting the collector...have you attempted so?
Best,
Andy
One good command you can also do is below
example, say src is 1.1.1.1, dst is 2.2.2.2, dst port is 4434...it would go src ip, scr port. dst ip, dst port, protocol
fw monitor -F "1.1.1.1,0,2.2.2.2,4434,0" -F "2.2.2.2,0,1.1.1.1,4434,0"
Best,
Andy
The traffic is shown on the log, just on netflow collector the traffic is unseen by capturing using wireshark on the collector
Are you able to ping the fw from the collector itself?
Best,
Andy
yes, actually the netflow is sending the data to the collector but i believe the netflow not send all traffic.
So i test by copy file from onprem to azure and the traffic not seen by collector, but if i test by browsing to the internet i can see the traffic on the collector.
Only fails via vpn?
Mostly yes, every day we have daily backup to azure and i not find this log on the collector. Usually on other firewall we can select netflow to be running on which interface, but i not see this on checkpoint. Are netflow on checkpoint will enabled on all interface including virtual interface like the tunnel?
Well, what interface is it enabled on?
Andy
Apologies, its been some time since I did this, you are 100% right, just checked it in my lab. Sorry mate, not sure at this point, maybe better have TAC case open, might be worth remote session to check further.
Best,
Andy
did you mean checkpoint netflow have some missing data or we can't selech on which interface netflow can be enabled?
I dont believe there is missing data, looks right to me. No, you cant select the interface...k, silly ?, but did you make sure netflow collector is part of the enc domain?
Andy
You can also verify it via clish -> show netflow and then tab for all the options
Here the result
show netflow all
Fw rule: No
Address Port Format Src Addr Enable
10.103.248.55 2055 IPFIX 10.103.253.10 yes
show netflow collector
Collector IP Address 10.103.248.55
Collector UDP Port 2055
Export Format IPFIX
Source Address 10.103.253.10
Enabled yes
show netflow fwrule
FW rule: No
Seems fine. Did you make sure collector is part of the end domain?
Andy
K, did you confirm that collector is part of proper vpn enc domain?
Andy
Yes, the collector and the source in same subnet, also i found strange something else
My topology is :
if you see on the picture, there are 2 traffic with same source 10.103.248.82 but different destination ip (172.16.0.196 and 172.16.1.4) and both destination indicated 2 different azure VM.
The interesting is why for destination 172.16.0.196 the interface is eth2 and for 172.16.1.4 is eth1?
note : the collector can see the traffic for 172.16.0.196 but not for 172.16.1.4
Is it using same route? Can you run show route from clish and confirm?
Andy
You can certainly try create specific static route to that IP using an interface as DG, rather than actual IP and see if it makes a difference.
ie dst 172.16.1.4 default gateway eth2
Best,
Andy
Hi..
Adding the static route is not helping. I think the problem is more specific because of :
So why for some hosts there are decrypt traffic and some not have?
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 23 | |
| 20 | |
| 13 | |
| 10 | |
| 9 | |
| 9 | |
| 7 | |
| 7 | |
| 6 | |
| 5 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY