Using Monitor Mode

Configure Monitor Mode on Security Gateway interfaces, to monitor traffic from a mirror port or span port on a switch. Use Monitor Mode to analyze network traffic without changing the production environment. The mirror port on a switch duplicates the network traffic and sends it to the monitor interface on the gateway to record the activity logs.

You can use mirror ports:

• To monitor the use of applications as a permanent part of your deployment
• To evaluate the capabilities of the Application Control and IPS blades before you buy them

The mirror port does not enforce a policy or run active operations (prevent, drop, reject) on network traffic. It can be used only to evaluate the monitoring and detecting capabilities of the Software Blades. All duplicated packets that arrive at the monitor interface of the gateway are terminated and will not be forwarded. The Security Gateway does not send traffic through the monitor interface.

For more information, see:

• R80.10 Gaia Administration Guide > Chapter Network Management > Section Network Interfaces > Subsection Physical Interfaces.
• sk101670: Monitor Mode on Gaia OS and SecurePlatform OS.

Configuring Monitor Mode

You can configure a mirror or TAP port to duplicate network traffic that is sent to a Security Gateway. The gateway inspects the traffic but does not drop packets.

Connect the Security Gateway to a mirror port on the switch that duplicates the ports and VLANs.

Item	Description
1	Switch with mirror port
2	Computers
3	Servers
4	Security Gateway in monitor mode
5	Management for Security Gateway

Note - Make sure that one mirror port on the switch is connected to one interface on the Security Gateway.

To enable Monitor Mode on the Security Gateway from the Gaia Portal:

1. From the navigation tree, click Network Management > Network Interfaces.
2. Select the interface and click Edit.
3. Click the Ethernet tab and check Monitor Mode.
4. Click OK.

To enable monitor mode on the Security Gateway from the Gaia Clish:

# set interface <interface name> monitor-mode on

Supported Software Blades for Monitor Mode

These Software Blades support Monitor mode for Security Gateway deployment:

Supported Blade	Supports Gateways in Monitor Mode	Supports Virtual System in Monitor Mode
Firewall	Yes	Yes
IPS	Yes	Yes
URL Filtering	Yes	Yes
DLP	Yes	No
Anti-Bot	Yes	Yes
Application Control	Yes	Yes
Identity Awareness	Yes	No
Threat Emulation	Yes	Yes

Unsupported Software Blades for Monitor Mode

These features, Software Blades, and deployments are not supported in Monitor mode:

• NAT
• IPsec VPN
• HTTPS Inspection
• Mobile Access
• DLP with FTP
• HTTP/HTTPS proxy
• Anti-Spam and Email Security
• QoS
• Traditional Anti-Virus
• User Authentication
• Client Authentication

Unsupported Deployments for Monitor Mode

These are deployments do not support Monitor Mode:

• Access to Portals
• Multiple TAP interfaces when the same traffic is monitored