Mirror and Decrypt

The Mirror and Decrypt feature performs these actions on Security Groups:

Action

Instructions

Only mirror of all traffic

Security Groups clone all traffic (including HTTPS without decryption) that passes through it, and sends it out of the designated physical interface.

Mirror and Decrypt of HTTPS traffic

Security Groups clone all HTTPS traffic that passes through it, decrypts it, and sends it in clear-text out of the designated physical interface.

Note - If you wish to decrypt the HTTPS traffic, you must enable and configure the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. on Security Groups.

You can add a third-party Recorder or Packet-Broker in your environment and forward to it the traffic that passes through Security Groups.

This Recorder or Packet-Broker must work in monitor (promiscuous) mode to accept the decrypted and mirrored traffic from Security Groups.

Security Groups work only with one Recorder, which is directly connected to a designated physical network interface (NIC) on the Security Groups.

Example Topology and Traffic Flow:

Item

Description

1

First network that sends and receives traffic through the Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. (2).

2

Security Group, through which networks (1) and (3) send and receive their traffic.

3

Second network that sends and receives traffic through the Security Group (2).

4

Designated physical interface on the Security Group (2).

5

Recorder, or Packet-Broker that works in a monitor (promiscuous) mode.

A

Traffic flow between the first network (1) and the Security Group (2).

B

Traffic flow between the second network (3) and the Security Group (2).

C

Flow of the decrypted and mirrored traffic from the Security Group (2) to the Recorder, or Packet-Broker (5).

Source MAC address of the decrypted and mirrored packets

Traffic

Source MAC address of the decrypted and
mirrored packets the Security Group sends

Mirror only of all traffic

MAC address of the designated physical interface.

Mirror and Decrypt of HTTPS traffic

00:00:00:00:00:00