Print Download PDF Send Feedback

Previous

Next

Configuring Specific Software Blades for Monitor Mode

In This Section:

Configuring the Threat Prevention Software Blades for Monitor Mode

Configuring the Application Control and URL Filtering Software Blades for Monitor Mode

Configuring the Data Loss Prevention Software Blade for Monitor Mode

Configuring the Security Gateway in Monitor Mode Behind a Proxy Server

This section shows how to configure specific Software Blades for Monitor Mode.

Note - For VSX, see:

Configuring the Threat Prevention Software Blades for Monitor Mode

Configure the settings below, if you enabled one of the Threat Prevention Software Blades (IPS, Anti-Bot, Anti-Virus, Threat Emulation or Threat Extraction) on the Security Gateway in Monitor Mode:

Step

Description

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.

2

From the left navigation panel, click Security Policies > Threat Prevention.

3

Create the Threat Prevention rule that accepts all traffic:

  • Protected Scope - *Any
  • Protection/Site/File/Blade - -- N/A
  • Action - Desired Profile (we recommend the Optimized profile)
  • Track - Log , Packet Capture (the Packet Capture setting is optional)

4

Right-click the selected Threat Prevention profile and click Edit.

5A

Click the General Policy page.

5B

In the Blades Activation section, select the desired Software Blades.

5C

In the Activation Mode section:

  • In the High Confidence field, select Detect.
  • In the Medium Confidence field, select Detect.
  • In the Low Confidence field, select Detect.

6A

Click the Anti-Virus page.

6B

In the Protected Scope section, select Inspect incoming and outgoing files.

6C

In the File Types section:

  • Select Process all file types.
  • Optional: Select Enable deep inspection scanning (impacts performance).

6D

Optional: In the Archives section, select Enable Archive scanning (impacts performance).

7A

Click the Threat Emulation page > General.

7B

In the Protected Scope section, select Inspect incoming files from the following interfaces and in the field, select All.

8

Configure other desired settings for the Software Blades.

9

Click OK.

10

Install the Threat Prevention Policy on the Security Gateway object.

For more information:

See the R80.20 Threat Prevention Administration Guide.

Configuring the Application Control and URL Filtering Software Blades for Monitor Mode

Configure the settings below, if you enabled Application Control or URL Filtering Software Blade on the Security Gateway in Monitor Mode:

Step

Description

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.

2

From the left navigation panel, click Manage & Settings > Blades.

3

In the Application Control & URL Filtering section, click Advanced Settings.

The Application Control & URL Filtering Settings window opens.

4

On the General page:

  • In the Fail mode section, select Allow all requests (fail-open).
  • In the URL Filtering section, select Categorize HTTPS websites.

5

On the Check Point online web service page:

  • In the Website categorization mode section, select Background.
  • Select Categorize social networking widgets.

6

Click OK to close the Application Control & URL Filtering Settings window.

7

Install the Access Control Policy on the Security Gateway object.

For more information, see the:

Configuring the Data Loss Prevention Software Blade for Monitor Mode

Configure the settings below, if you enabled the Data Loss Prevention Software Blade on the Security Gateway in Monitor Mode:

Step

Description

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.

2

From the left navigation panel, click Manage & Settings > Blades.

3

In the Data Loss Prevention section, click Configure in SmartDashboard.

The SmartDashboard window opens.

4A

Click the My Organization page.

4B

In the Email Addresses or Domains section, configure with full list of company's domains.

There is no need to include subdomains (for example, mydomain.com, mydomain.uk).

4C

In the Networks section, select Anything behind the internal interfaces of my DLP gateways.

4D

In the Users section, select All users.

5

Click the Policy page.

Configure the applicable rules:

  • In the Data column, right-click the pre-defined data types and select Edit.
    • On the General Properties page, in the Flag field, select Improve Accuracy.
    • In the Customer Names data type, we recommend to add the company's real customer names.
  • In the Action column, you must select Detect.
  • In the Severity column, select Critical or High in all applicable rules.
  • You may choose to disable/delete rules that are not applicable to the company or reduce the Severity of these rules.

Note - Before you can configure the DLP rules, you must configure the applicable objects in SmartConsole.

6

Click the Additional Settings > Protocols page.

Configure these settings:

  • In the Email section, select SMTP (Outgoing Emails).
  • In the Web section, select HTTP. Do not configure the HTTPS.
  • In the File Transfer section, do not select FTP.

7

Click Launch Menu > File > Update (or press CTRL S).

8

Close the SmartDashboard.

9

Install the Access Control Policy on the Security Gateway object.

10

Make sure the Security Gateway enabled the SMTP Mirror Port Mode:

  1. Connect to the command line on the Security Gateway.
  2. Log in to the Expert mode.
  3. Run this command:

    # dlp_smtp_mirror_port status

  4. Make sure the value of the kernel parameter dlp_force_smtp_kernel_inspection is set to 1 (one).

    Run these two commands:

    # fw ctl get int dlp_force_smtp_kernel_inspection

    # grep dlp_force_smtp_kernel_inspection $FWDIR/boot/modules/fwkern.conf

For more information:

See the R80.20 Data Loss Prevention Administration Guide.

Configuring the Security Gateway in Monitor Mode Behind a Proxy Server

If you connect a Proxy Server between the Security Gateway in Monitor Mode and the switch, then configure these settings to see Source IP addresses and Source Users in the Security Gateway logs:

Step

Description

1

On the Proxy Server, configure the "X Forward-For header".

See the applicable documentation for your Proxy Server.

2

On the Security Gateway in Monitor Mode, enable the stripping of the X-Forward-For (XFF) field.

Follow the sk100223: How to enable stripping of X-Forward-For (XFF) field.