- Products
- Learn
- Local User Groups
- Partners
- More
Introduction to Lakera:
Securing the AI Frontier!
Quantum Spark Management Unleashed!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello,
I already configure the netflow on my checkpoint 5800 series and seem the netfow i working fine, i can see the checkpoint send the data to collector.
But when i check detailly why the netflow not send data if the destination located behind vpn site to site? I can see the checkpoint not send any data to our azure resource which using ipsec vpn site to site.
I do copy file from our onprem server to azure with private endpoint and capture the traffic using wireshark on collector server and found no data
Is tunnel up? If yes, is this only thing thats failing?
Andy
yes of course the tunnel is up, i generate the traffic by copy file from onprem to azure and this will pass thru vpn tunnel.
es, i can see all traffic to the tunnel no log on netflow
Wait...to make sure we are on the same page here...are you saying that netflow traffic is actually going through the tunnel but you siomply canNOT see the log for it or am I totally mistaken when I say that?
Best,
Andy
Hi..
We can see log on the checkpoint firewall but not see on the netflow collector.
It might be simple fix as possibly restarting the collector...have you attempted so?
Best,
Andy
One good command you can also do is below
example, say src is 1.1.1.1, dst is 2.2.2.2, dst port is 4434...it would go src ip, scr port. dst ip, dst port, protocol
fw monitor -F "1.1.1.1,0,2.2.2.2,4434,0" -F "2.2.2.2,0,1.1.1.1,4434,0"
Best,
Andy
The traffic is shown on the log, just on netflow collector the traffic is unseen by capturing using wireshark on the collector
Are you able to ping the fw from the collector itself?
Best,
Andy
yes, actually the netflow is sending the data to the collector but i believe the netflow not send all traffic.
So i test by copy file from onprem to azure and the traffic not seen by collector, but if i test by browsing to the internet i can see the traffic on the collector.
Only fails via vpn?
Mostly yes, every day we have daily backup to azure and i not find this log on the collector. Usually on other firewall we can select netflow to be running on which interface, but i not see this on checkpoint. Are netflow on checkpoint will enabled on all interface including virtual interface like the tunnel?
Well, what interface is it enabled on?
Andy
Apologies, its been some time since I did this, you are 100% right, just checked it in my lab. Sorry mate, not sure at this point, maybe better have TAC case open, might be worth remote session to check further.
Best,
Andy
did you mean checkpoint netflow have some missing data or we can't selech on which interface netflow can be enabled?
I dont believe there is missing data, looks right to me. No, you cant select the interface...k, silly ?, but did you make sure netflow collector is part of the enc domain?
Andy
You can also verify it via clish -> show netflow and then tab for all the options
Here the result
show netflow all
Fw rule: No
Address Port Format Src Addr Enable
10.103.248.55 2055 IPFIX 10.103.253.10 yes
show netflow collector
Collector IP Address 10.103.248.55
Collector UDP Port 2055
Export Format IPFIX
Source Address 10.103.253.10
Enabled yes
show netflow fwrule
FW rule: No
Seems fine. Did you make sure collector is part of the end domain?
Andy
K, did you confirm that collector is part of proper vpn enc domain?
Andy
Yes, the collector and the source in same subnet, also i found strange something else
My topology is :
if you see on the picture, there are 2 traffic with same source 10.103.248.82 but different destination ip (172.16.0.196 and 172.16.1.4) and both destination indicated 2 different azure VM.
The interesting is why for destination 172.16.0.196 the interface is eth2 and for 172.16.1.4 is eth1?
note : the collector can see the traffic for 172.16.0.196 but not for 172.16.1.4
Is it using same route? Can you run show route from clish and confirm?
Andy
You can certainly try create specific static route to that IP using an interface as DG, rather than actual IP and see if it makes a difference.
ie dst 172.16.1.4 default gateway eth2
Best,
Andy
Hi..
Adding the static route is not helping. I think the problem is more specific because of :
So why for some hosts there are decrypt traffic and some not have?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
15 | |
12 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
Tue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureTue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFTue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY