- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Netflow IPSec
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Netflow IPSec
Hello,
I already configure the netflow on my checkpoint 5800 series and seem the netfow i working fine, i can see the checkpoint send the data to collector.
But when i check detailly why the netflow not send data if the destination located behind vpn site to site? I can see the checkpoint not send any data to our azure resource which using ipsec vpn site to site.
I do copy file from our onprem server to azure with private endpoint and capture the traffic using wireshark on collector server and found no data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is tunnel up? If yes, is this only thing thats failing?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes of course the tunnel is up, i generate the traffic by copy file from onprem to azure and this will pass thru vpn tunnel.
es, i can see all traffic to the tunnel no log on netflow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait...to make sure we are on the same page here...are you saying that netflow traffic is actually going through the tunnel but you siomply canNOT see the log for it or am I totally mistaken when I say that?
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi..
We can see log on the checkpoint firewall but not see on the netflow collector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be simple fix as possibly restarting the collector...have you attempted so?
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One good command you can also do is below
example, say src is 1.1.1.1, dst is 2.2.2.2, dst port is 4434...it would go src ip, scr port. dst ip, dst port, protocol
fw monitor -F "1.1.1.1,0,2.2.2.2,4434,0" -F "2.2.2.2,0,1.1.1.1,4434,0"
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The traffic is shown on the log, just on netflow collector the traffic is unseen by capturing using wireshark on the collector
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you able to ping the fw from the collector itself?
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, actually the netflow is sending the data to the collector but i believe the netflow not send all traffic.
So i test by copy file from onprem to azure and the traffic not seen by collector, but if i test by browsing to the internet i can see the traffic on the collector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only fails via vpn?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mostly yes, every day we have daily backup to azure and i not find this log on the collector. Usually on other firewall we can select netflow to be running on which interface, but i not see this on checkpoint. Are netflow on checkpoint will enabled on all interface including virtual interface like the tunnel?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, what interface is it enabled on?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can see on the pic we cant select on which interface will be enabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies, its been some time since I did this, you are 100% right, just checked it in my lab. Sorry mate, not sure at this point, maybe better have TAC case open, might be worth remote session to check further.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you mean checkpoint netflow have some missing data or we can't selech on which interface netflow can be enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont believe there is missing data, looks right to me. No, you cant select the interface...k, silly ?, but did you make sure netflow collector is part of the enc domain?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also verify it via clish -> show netflow and then tab for all the options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here the result
show netflow all
Fw rule: No
Address Port Format Src Addr Enable
10.103.248.55 2055 IPFIX 10.103.253.10 yes
show netflow collector
Collector IP Address 10.103.248.55
Collector UDP Port 2055
Export Format IPFIX
Source Address 10.103.253.10
Enabled yes
show netflow fwrule
FW rule: No
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems fine. Did you make sure collector is part of the end domain?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
K, did you confirm that collector is part of proper vpn enc domain?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the collector and the source in same subnet, also i found strange something else
My topology is :
- eth1 is outside interface
- eth2 is inside interface
if you see on the picture, there are 2 traffic with same source 10.103.248.82 but different destination ip (172.16.0.196 and 172.16.1.4) and both destination indicated 2 different azure VM.
The interesting is why for destination 172.16.0.196 the interface is eth2 and for 172.16.1.4 is eth1?
note : the collector can see the traffic for 172.16.0.196 but not for 172.16.1.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it using same route? Can you run show route from clish and confirm?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here my routing, and we can see because 172.16.0.0/24 and 172.16.1.0/24 located behind vpn tunnel so not seen on routing table.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can certainly try create specific static route to that IP using an interface as DG, rather than actual IP and see if it makes a difference.
ie dst 172.16.1.4 default gateway eth2
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi..
Adding the static route is not helping. I think the problem is more specific because of :
- When i test copy from 10.103.248.82 to 172.16.1.133 the netflow send the data and on the checkpoint log I can see there are encrypt and decrypt.
- When i test copy from 10.103.248.82 to 172.16.1.4 the netflow no send the data and on the checkpoint log I can see there are only encrypt and no decrypt traffic.
So why for some hosts there are decrypt traffic and some not have?
![](/skins/images/74119E49EB1AA30407316FFB9151D237/responsive_peak/images/icon_anonymous_message.png)