yes of course the tunnel is up, i generate the traffic by copy file from onprem to azure and this will pass thru vpn tunnel.

es, i can see all traffic to the tunnel no log on netflow

Wait...to make sure we are on the same page here...are you saying that netflow traffic is actually going through the tunnel but you siomply canNOT see the log for it or am I totally mistaken when I say that?

Best,

Andy

Hi..

We can see log on the checkpoint firewall but not see on the netflow collector.

It might be simple fix as possibly restarting the collector...have you attempted so?

Best,

Andy

The traffic is shown on the log, just on netflow collector the traffic is unseen by capturing using wireshark on the collector

Are you able to ping the fw from the collector itself?

Best,

Andy

yes, actually the netflow is sending the data to the collector but i believe the netflow not send all traffic.

So i test by copy file from onprem to azure and the traffic not seen by collector, but if i test by browsing to the internet i can see the traffic on the collector.

Only fails via vpn?

Mostly yes, every day we have daily backup to azure and i not find this log on the collector. Usually on other firewall we can select netflow to be running on which interface, but i not see this on checkpoint. Are netflow on checkpoint will enabled on all interface including virtual interface like the tunnel?

Well, what interface is it enabled on?

Andy

You can see on the pic we cant select on which interface will be enabled

Apologies, its been some time since I did this, you are 100% right, just checked it in my lab. Sorry mate, not sure at this point, maybe better have TAC case open, might be worth remote session to check further.

Best,

Andy

did you mean checkpoint netflow have some missing data or we can't selech on which interface netflow can be enabled?

I dont believe there is missing data, looks right to me. No, you cant select the interface...k, silly ?, but did you make sure netflow collector is part of the enc domain?

Andy

You can also verify it via clish -> show netflow and then tab for all the options

Here the result

show netflow all

Fw rule: No
Address Port Format Src Addr Enable
10.103.248.55 2055 IPFIX 10.103.253.10 yes

show netflow collector

Collector IP Address 10.103.248.55
Collector UDP Port 2055
Export Format IPFIX
Source Address 10.103.253.10
Enabled yes

show netflow fwrule

FW rule: No

Seems fine. Did you make sure collector is part of the end domain?

Andy

I checking again and found for all traffic which no "matched rule" tab in the log, this traffic is not seen by collector.

So i don't know why on the log there are traffic with "matched rule" tab and the other is not have

K, did you confirm that collector is part of proper vpn enc domain?

Andy

Yes, the collector and the source in same subnet, also i found strange something else 

My topology is :

1. eth1 is outside interface
2. eth2 is inside interface

if you see on the picture, there are 2 traffic with same source 10.103.248.82 but different destination ip (172.16.0.196 and 172.16.1.4) and both destination indicated 2 different azure VM.

The interesting is why for destination 172.16.0.196 the interface is eth2 and for 172.16.1.4 is eth1?

note : the collector can see the traffic for 172.16.0.196 but not for 172.16.1.4

Is it using same route? Can you run show route from clish and confirm?

Andy

Here my routing, and we can see because 172.16.0.0/24 and 172.16.1.0/24 located behind vpn tunnel so not seen on routing table.

You can certainly try create specific static route to that IP using an interface as DG, rather than actual IP and see if it makes a difference.

ie dst 172.16.1.4 default gateway eth2

Best,

Andy

Hi..

Adding the static route is not helping. I think the problem is more specific because of :

1. When i test copy from 10.103.248.82 to 172.16.1.133 the netflow send the data and on the checkpoint log I can see there are encrypt and decrypt.
2. When i test copy from 10.103.248.82 to 172.16.1.4 the netflow no send the data and on the checkpoint log I can see there are only encrypt and no decrypt traffic.

So why for some hosts there are decrypt traffic and some not have?