Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
handiansudianto
Collaborator

Netflow IPSec

Hello,

I already configure the netflow on my checkpoint 5800 series and seem the netfow i working fine, i can see the checkpoint send the data to collector.

But when i check detailly why the netflow not send data if the destination located behind vpn site to site? I can see the checkpoint not send any data to our azure resource which using ipsec vpn site to site.

I do copy file from our onprem server to azure with private endpoint and capture the traffic using wireshark on collector server and found no data

0 Kudos
26 Replies
the_rock
Legend
Legend

Is tunnel up? If yes, is this only thing thats failing?

Andy

0 Kudos
handiansudianto
Collaborator

yes of course the tunnel is up, i generate the traffic by copy file from onprem to azure and this will pass thru vpn tunnel.

es, i can see all traffic to the tunnel no log on netflow

0 Kudos
the_rock
Legend
Legend

Wait...to make sure we are on the same page here...are you saying that netflow traffic is actually going through the tunnel but you siomply canNOT see the log for it or am I totally mistaken when I say that?

Best,

Andy

0 Kudos
handiansudianto
Collaborator

Hi..

We can see log on the checkpoint firewall but not see on the netflow collector.

 

0 Kudos
the_rock
Legend
Legend

It might be simple fix as possibly restarting the collector...have you attempted so?

Best,

Andy

0 Kudos
the_rock
Legend
Legend

One good command you can also do is below

example, say src is 1.1.1.1, dst is 2.2.2.2, dst port is 4434...it would go src ip, scr port. dst ip, dst port, protocol

fw monitor -F "1.1.1.1,0,2.2.2.2,4434,0" -F "2.2.2.2,0,1.1.1.1,4434,0"

Best,

Andy

0 Kudos
handiansudianto
Collaborator

The traffic is shown on the log, just on netflow collector the traffic is unseen by capturing using wireshark on the collector

0 Kudos
the_rock
Legend
Legend

Are you able to ping the fw from the collector itself?

Best,

Andy

0 Kudos
handiansudianto
Collaborator

yes, actually the netflow is sending the data to the collector but i believe the netflow not send all traffic.

So i test by copy file from onprem to azure and the traffic not seen by collector, but if i test by browsing to the internet i can see the traffic on the collector.

0 Kudos
the_rock
Legend
Legend

Only fails via vpn?

0 Kudos
handiansudianto
Collaborator

Mostly yes, every day we have daily backup to azure and i not find this log on the collector. Usually on other firewall we can select netflow to be running on which interface, but i not see this on checkpoint. Are netflow on checkpoint will enabled on all interface including virtual interface like the tunnel?

0 Kudos
the_rock
Legend
Legend

Well, what interface is it enabled on?

Andy

0 Kudos
handiansudianto
Collaborator

You can see on the pic we cant select on which interface will be enabled

0 Kudos
the_rock
Legend
Legend

Apologies, its been some time since I did this, you are 100% right, just checked it in my lab. Sorry mate, not sure at this point, maybe better have TAC case open, might be worth remote session to check further.

Best,

Andy

0 Kudos
handiansudianto
Collaborator

did you mean checkpoint netflow have some missing data or we can't selech on which interface netflow can be enabled?

0 Kudos
the_rock
Legend
Legend

I dont believe there is missing data, looks right to me. No, you cant select the interface...k, silly ?, but did you make sure netflow collector is part of the enc domain?

Andy

0 Kudos
the_rock
Legend
Legend

You can also verify it via clish -> show netflow and then tab for all the options

0 Kudos
handiansudianto
Collaborator

Here the result

show netflow all

Fw rule: No
Address Port Format Src Addr Enable
10.103.248.55 2055 IPFIX 10.103.253.10 yes

show netflow collector

Collector IP Address 10.103.248.55
Collector UDP Port 2055
Export Format IPFIX
Source Address 10.103.253.10
Enabled yes

show netflow fwrule

FW rule: No

0 Kudos
the_rock
Legend
Legend

Seems fine. Did you make sure collector is part of the end domain?

Andy

0 Kudos
handiansudianto
Collaborator

I checking again and found for all traffic which no "matched rule" tab in the log, this traffic is not seen by collector.

So i don't know why on the log there are traffic with "matched rule" tab and the other is not have

0 Kudos
the_rock
Legend
Legend

K, did you confirm that collector is part of proper vpn enc domain?

Andy

0 Kudos
handiansudianto
Collaborator

Yes, the collector and the source in same subnet, also i found strange something else 

My topology is :

  1. eth1 is outside interface
  2. eth2 is inside interface

if you see on the picture, there are 2 traffic with same source 10.103.248.82 but different destination ip (172.16.0.196 and 172.16.1.4) and both destination indicated 2 different azure VM.

The interesting is why for destination 172.16.0.196 the interface is eth2 and for 172.16.1.4 is eth1?

note : the collector can see the traffic for 172.16.0.196 but not for 172.16.1.4

0 Kudos
the_rock
Legend
Legend

Is it using same route? Can you run show route from clish and confirm?

Andy

0 Kudos
handiansudianto
Collaborator

Here my routing, and we can see because 172.16.0.0/24 and 172.16.1.0/24 located behind vpn tunnel so not seen on routing table.

0 Kudos
the_rock
Legend
Legend

You can certainly try create specific static route to that IP using an interface as DG, rather than actual IP and see if it makes a difference.

ie dst 172.16.1.4 default gateway eth2

Best,

Andy

0 Kudos
handiansudianto
Collaborator

Hi..

Adding the static route is not helping. I think the problem is more specific because of :

  1. When i test copy from 10.103.248.82 to 172.16.1.133 the netflow send the data and on the checkpoint log I can see there are encrypt and decrypt.
  2. When i test copy from 10.103.248.82 to 172.16.1.4 the netflow no send the data and on the checkpoint log I can see there are only encrypt and no decrypt traffic.

So why for some hosts there are decrypt traffic and some not have?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events