NTA Source Natted

I'm fell strange for NTA on the orion. If we see below pic there are conversation from 202.46.68.156 and 202.59.xxx.xxx with egress bytes 11.6 GB. The IP 202.59.xxx.xxx is our public IP, andwhy orion not showing the real client ip?

Then i try to add other NTA Collector and found this collector shown the real IP (10.107.13.246) we can see on below pic

Parents
  • Hi dear,

     I am also facing similar type of behavior where checkpoint is sending NetFlow data of Public IP configured at WAN interface towards public destination. Ideally it should show endpoint IP who had initiated traffic.

    But the same behavior when i configure similar setup on Sophos firewall, where NetFlow version is v5. this could be NetFlow version compatibility issue with NTA.

    Even I can see the Wireshark packet traces showing endpoint IP in NetFlow. but not sure why NTA is not showing the same.

    Any ne having better visibility, please share.

Reply
  • Hi dear,

     I am also facing similar type of behavior where checkpoint is sending NetFlow data of Public IP configured at WAN interface towards public destination. Ideally it should show endpoint IP who had initiated traffic.

    But the same behavior when i configure similar setup on Sophos firewall, where NetFlow version is v5. this could be NetFlow version compatibility issue with NTA.

    Even I can see the Wireshark packet traces showing endpoint IP in NetFlow. but not sure why NTA is not showing the same.

    Any ne having better visibility, please share.

Children
No Data