Deploying a Security Gateway in Monitor Mode

In This Section: Example Monitor Mode topology Supported Software Blades in Monitor Mode Limitations in Monitor Mode Configuring a Single Security Gateway in Monitor Mode Configuring a Single VSX Gateway in Monitor Mode Configuring Specific Software Blades for Monitor Mode

You can configure Monitor Mode on a Check Point Security Gateway interface. This lets the Check Point Security Gateway listen to traffic from a Mirror Port or Span Port on a connected switch. Use the Monitor Mode to analyze network traffic without changing the production environment. The mirror port on a switch duplicates the network traffic and sends it to the Security Gateway with an interface in Monitor Mode to record the activity logs.

You can use the Monitor Mode:

• To monitor the use of applications as a permanent part of your deployment
• To evaluate the capabilities of the Software Blades:
  • The Security Gateway neither enforces any security policy, nor performs any active operations (prevent/drop/reject) on the interface in the Monitor Mode.
  • The Security Gateway terminates and does not forward all packets that arrive at the interface in the Monitor Mode.
  • The Security Gateway does not send any traffic through the interface in the Monitor Mode.

Benefits of the Monitor Mode include:

• There is no risk to your production environment.
• It requires minimal set-up configuration.
• It does not require TAP equipment, which is expensive.

Example Monitor Mode topology

Item	Description
1	Switch with a mirror or SPAN port that duplicates all incoming and outgoing packets. The Security Gateway connects to a mirror or SPAN port on the switch.
2	Servers.
3	Clients.
4	Security Gateway with an interface in Monitor Mode.
5	Security Management Server that manages the Security Gateway.

Supported Software Blades in Monitor Mode

This table lists Software Blades, features, and their support for the Monitor Mode in a single Security Gateway deployment.

Important - Check Point Cluster does not support the Monitor Mode.

Software Blade	Support for the Monitor Mode
Firewall	Fully supports the Monitor Mode
IPS	These protections and features do not work: 'SYN Attack' protection (SYNDefender) 'Initial Sequence Number (ISN) Spoofing' protection 'Send error page' action in Web Intelligence protections Client/Server notifications about connection termination
Application Control	UserCheck is not supported
URL Filtering	UserCheck is not supported
Data Loss Prevention	These are not supported: UserCheck 'Prevent' and 'Ask User' actions - these are automatically demoted to 'Inform User' action FTP inspection
Identity Awareness	These are not supported: Captive Portal Identity Agent
Threat Emulation	The Emulation Connection Prevent Handling Modes "Background" and "Hold" are not supported. See sk106119.
Anti-Bot	Fully supports the Monitor Mode
Anti-Virus	Fully supports the Monitor Mode
IPsec VPN	Does not support the Monitor Mode
Mobile Access	Does not support the Monitor Mode
HTTPS Inspection	Does not support the Monitor Mode
Anti-Spam	Does not support the Monitor Mode
QoS	Does not support the Monitor Mode

For more information, see sk101670: Monitor Mode on Gaia OS and SecurePlatform OS.

Limitations in Monitor Mode

These features, Software Blades and deployments are not supported in Monitor Mode:

• Passing production traffic through a Security Gateway, on which you configured Monitor Mode interface(s).
• If you configure more than one Monitor Mode interface on a Security Gateway, you must make sure the Security Gateway does not receive the same traffic on the different Monitor Mode interfaces.
• NAT rules.
• HTTP / HTTPS proxy.
• Anti-Virus in Traditional Mode.
• User Authentication.
• Client Authentication.
• Check Point Active Streaming (CPAS).
• Cluster deployment.
• CloudGuard Gateways.
• CoreXL Dynamic Dispatcher (sk105261)

For more information, see sk101670: Monitor Mode on Gaia OS and SecurePlatform OS.