Setting up a Mirror Port

In This Section: Technical Requirements Configuring a Mirror Port

You can configure a mirror port on a Check Point gateway to monitor and analyze network traffic with no effect on your production environment. The mirror port duplicates the network traffic and records the activity in logs.

You can use mirror ports:

• As a permanent part of your deployment, to monitor the use of applications in your organization.
• As an evaluation tool to see the capabilities of the Application Control and IPS blades before you decide to purchase them.

The mirror port does not enforce a Policy and therefore you can only use it to see the monitoring and detecting capabilities of the blades.

Benefits of a mirror port include:

• There is no risk to your production environment.
• It requires minimal set-up configuration.
• It does not require TAP equipment, which is much more expensive.

Technical Requirements

You can configure a mirror port on gateways with:

• SecurePlatform 32 bit or 64 bit.
• Check Point version R75 and higher.

Mirror ports are not supported with:

• Management servers- you can only configure it on a gateway
• HTTPS inspection
• NAT of any kind
• Clusters
• IPS protections that are performance critical
• Legacy User Authority features - you cannot have Authentication (Client, Session, or User) in the Action column of the Firewall Rule Base.

Configuring a Mirror Port

This section assumes basic knowledge of how to configure a SPAN port in a Cisco switch, or the equivalent in a Nortel switch.

To use the mirror port, you need a Check Point deployment that includes a Security Management Server, a gateway, and a SmartDashboard. For more about evaluating Check Point products or setting up the mirror port, contact your Check Point representative.

Connecting the Gateway to the Traffic

To connect the Security Gateway to your network traffic:

Configure a SPAN port on a switch that your network traffic travels through, and connect it with a cable to an interface of a Check Point gateway machine. After you configure the interface as a mirror port, all of the traffic on the switch is duplicated and sent through this interface.

Configuring the Interface as a Mirror Port

To set the connected interface as mirror port

1. In the command line of the Security Gateway, run: sysconfig.
2. Select Network Connections.
3. Select Configure Connections.
4. Select the interface that should be configured as mirror-port. This is the one that you connected.
5. Select Define as connected to a mirror port.
6. Enable the Application Control blade in SmartDashboard. You can also enable the IPS blade to see IPS traffic. If you only want to enable the IPS blade, you must activate at least one HTTP protection.
7. Install the Policy.

Checking that it Works

To make sure the mirror port is configured and connected properly:

• Browse to an internet site, such as Google.
• Open SmartView Tracker. You should see traffic of the blade you enabled.

Removing the Mirror Port

To remove the mirror port from the interface:

1. In the command line of the Security Gateway, run: sysconfig.
2. Select Network Connections.
3. Select Configure Connections.
4. Select the interface that you want to remove the mirror-port from.
5. Select Remove the connection to the mirror port.
6. Install the Policy.