Configuring a Single Security Gateway in Monitor Mode

Important:

For Cloud-based services (for example, Social Network widgets and URL Filtering), you must connect the Security Gateway in Monitor Mode to the Internet.
You must install valid license and contracts file on the Security Gateway in Monitor Mode.

Workflow:

Note - This procedure applies to both Check Point Appliances and Open Servers.

Install the Security Gateway.
Configure the Monitor Mode interface - in Gaia Portal, or Gaia Clish.
Configure the Security Gateway in SmartConsole - in Wizard Mode, or Classic Mode.
Configure the Security Gateway to process packets that arrive in the wrong order.
Configure the required Global Properties for the Security Gateway in SmartConsole
Configure the required Access Control policy for the Security Gateway in SmartConsole.
Make sure the Security Gateway enabled the Monitor Mode for Software Blades.
Connect the Security Gateway to the switch.

Step 1 of 8: Install the Security Gateway

Step	Description
1	Install the Gaia Operating System: Installing the Gaia Operating System on a Check Point Appliance Installing the Gaia Operating System on an Open Server
2	Run the Gaia First Time Configuration Wizard.
3	During the First Time Configuration Wizard, you must configure these settings: In the Management Connection window, select the interface, through which you connect to Gaia operating system. In the Internet Connection window, do not configure IP addresses. In the Installation Type window, select Security Gateway and/or Security Management. In the Products window: In the Products section, select Security Gateway only. In the Clustering section, clear Unit is a part of a cluster, type. In the Dynamically Assigned IP window, select No. In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

Step

Description

Install the Gaia Operating System:

Run the Gaia First Time Configuration Wizard.

During the First Time Configuration Wizard, you must configure these settings:

In the Management Connection window, select the interface, through which you connect to Gaia operating system.
In the Internet Connection window, do not configure IP addresses.
In the Installation Type window, select Security Gateway and/or Security Management.
In the Products window:
1. In the Products section, select Security Gateway only.
2. In the Clustering section, clear Unit is a part of a cluster, type.
In the Dynamically Assigned IP window, select No.
In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

Step 2 of 8: Configure the Monitor Mode interface in Gaia Portal

Step	Description
1	In your web browser, connect to the Gaia Portal on the Security Gateway.
2	In the left navigation tree, click Network Management > Network Interfaces.
3	Select the applicable physical interface from the list and click Edit.
4	Select the Enable option to set the interface status to UP.
5	In the Comment field, enter the applicable comment text (up to 100 characters).
6	On the IPv4 tab, select Use the following IPv4 address, but do not enter an IPv4 address.
7	On the IPv6 tab, select Use the following IPv6 address, but do not enter an IPv6 address. Important - This setting is available only after you enable the IPv6 Support in Gaia and reboot.
8	On the Ethernet tab: Select Auto Negotiation, or select a link speed and duplex setting from the list. In the Hardware Address field, enter the Hardware MAC address (if not automatically received from the NIC). Caution: Do not manually change the MAC address unless you are sure that it is incorrect or has changed. An incorrect MAC address can lead to a communication failure. In the MTU field, enter the applicable Maximum Transmission Unit (MTU) value (minimal value is 68, maximal value is 16000, and default value is 1500). Select Monitor Mode.
9	Click OK.

Step 2 of 8: Configure the Monitor Mode interface in Gaia Clish

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to Gaia Clish.
3	Examine the configuration and state of the applicable physical interface: `show interface <`Name of Physical Interface`>`
4	If the applicable physical interface has an IP address assigned to it, remove it: `delete interface <`Name of Physical Interface`> ipv4-address` `delete interface <`Name of Physical Interface`> ipv6-address`
5	Enable the Monitor Mode on the physical interface: `set interface <`Name of Physical Interface`> monitor-mode on`
6	Configure other applicable settings on the Monitor Mode interface: set interface <Name of Physical Interface> auto-negotiation {on \| off} comments "Text" link-speed {10M/half \| 10M/full \| 100M/half \| 100M/full \| 1000M/full} mtu <68-16000 \| 1280-16000> rx-ringsize <0-4096> tx-ringsize <0-4096>
7	Examine the configuration and state of the Monitor Mode interface: `show interface <`Name of Physical Interface`>`
8	Save the configuration: `save config`

Step 3 of 8: Configure the Security Gateway in SmartConsole - Wizard Mode

Step	Description
1	Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Gateway.
2	From the left navigation panel, click Gateways & Servers.
3	Create a new Security Gateway object in one of these ways: From the top toolbar, click the New () > Gateway. In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway. In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.
4	In the Check Point Security Gateway Creation window, click Wizard Mode.
5	On the General Properties page: In the Gateway name field, enter the desired name for this Security Gateway object. In the Gateway platform field, select the correct hardware type. In the Gateway IP address section, select Static IP address and configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses. Click Next.
6	On the Trusted Communication page: Select the applicable option: If you selected Initiate trusted communication now, enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard. If you selected Skip and initiate trusted communication later, make sure to follow Step 7. Click Next.
7	On the End page: Examine the Configuration Summary. Select Edit Gateway properties for further configuration. Click Finish. Check Point Gateway properties window opens on the General Properties page.
8	If during the Wizard Mode, you selected Skip and initiate trusted communication later: The Secure Internal Communication field shows `Uninitialized`. Click Communication. In the Platform field: Select Open server / Appliance for all Check Point appliances models except 1100, 1200R, and 1400. Select Open server / Appliance for an Open Server. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard. Click Initialize. Make sure the Certificate state field shows `Established`. Click OK.
9	On the Network Security tab, make sure to enable only the Firewall Software Blade. Important - Do not select anything on the Management tab.
10A	On the Network Management page: Click Get Interfaces > Get Interfaces With Topology. Confirm the interfaces information.
10B	Select the Monitor Mode interface and click Edit. Configure these settings: Click the General page. In the General section, enter a random IPv4 address. Important - This random IPv4 address must not conflict with existing IPv4 addresses on your network. In the Topology section: Click Modify. In the Leads To section, select Not defined (Internal). In the Security Zone section, select According to topology: Internal Zone. Click OK to close the Topology Settings window. Click OK to close the Interface window.
11	Click OK.
12	Publish the SmartConsole session.
13	This Security Gateway object is now ready to receive the Security Policy.

Step 3 of 8: Configure the Security Gateway in SmartConsole - Classic Mode

Step	Description
1	Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Gateway.
2	From the left navigation panel, click Gateways & Servers.
3	Create a new Security Gateway object in one of these ways: From the top toolbar, click the New () > Gateway. In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway. In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.
4	In the Check Point Security Gateway Creation window, click Classic Mode. Check Point Gateway properties window opens on the General Properties page.
5	In the Name field, enter the desired name for this Security Gateway object.
6	In the IPv4 address and IPv6 address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.
7	Establish the Secure Internal Communication (SIC) between the Management Server and this Security Gateway: Near the Secure Internal Communication field, click Communication. In the Platform field: Select Open server / Appliance for all Check Point appliances models except 1100, 1200R, and 1400. Select Open server / Appliance for an Open Server. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard. Click Initialize. Click OK.
	If the Certificate state field does not show `Established`, perform these steps: Connect to the command line on the Security Gateway. Make sure there is a physical connectivity between the Security Gateway and the Management Server (for example, pings can pass). Run: `cpconfig` Enter the number of this option: `Secure Internal Communication`. Follow the instructions on the screen to change the Activation Key. In the SmartConsole, click Reset. Enter the same Activation Key you entered in the `cpconfig` menu. Click Initialize.
8	In the Platform section, select the correct options: In the Hardware field: If you install the Security Gateway on a Check Point Appliance, select the correct appliances series. If you install the Security Gateway on an Open Server, select Open server. In the Version field, select R80.30. In the OS field, select Gaia.
9	On the Network Security tab, make sure to enable only the Firewall Software Blade. Important - Do not select anything on the Management tab.
10A	On the Network Management page: Click Get Interfaces > Get Interfaces With Topology. Confirm the interfaces information.
10B	Select the Monitor Mode interface and click Edit. Configure these settings: Click the General page. In the General section, enter a random IPv4 address. Important - This random IPv4 address must not conflict with existing IPv4 addresses on your network. In the Topology section: Click Modify. In the Leads To section, select Not defined (Internal). In the Security Zone section, select According to topology: Internal Zone. Click OK to close the Topology Settings window. Click OK to close the Interface window.
11	Click OK.
12	Publish the SmartConsole session.

Step 4 of 8: Configure the Security Gateway to process packets that arrive in the wrong order

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Modify the `$FWDIR/boot/modules/fwkern.conf` file.
3A	Back up the current `$FWDIR/boot/modules/fwkern.conf` file: `cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}` Important - If this file does not exist, create it: `touch $FWDIR/boot/modules/fwkern.conf`
3B	Edit the current `$FWDIR/boot/modules/fwkern.conf` file: `vi $FWDIR/boot/modules/fwkern.conf` Important - This configuration file does not support spaces or comments.
3C	Add this line to enable the Passive Streaming Layer (PSL) Tap Mode: `psl_tap_enable=1`
3D	Add this line to enable the Firewall Tap Mode: `fw_tap_enable=1`
3E	Save the changes in the file and exit the Vi editor.
4	Modify the `$PPKDIR/conf/simkern.conf` file.
4A	Back up the current `$PPKDIR/conf/simkern.conf` file: `cp -v $PPKDIR/conf/simkern.conf{,_BKP}` Important - If this file does not exist, create it: `touch $PPKDIR/conf/simkern.conf`
4B	Edit the current `$PPKDIR/conf/simkern.conf` file: `vi $PPKDIR/conf/simkern.conf` Important - This configuration file does not support spaces or comments.
4C	Add this line to enable the Firewall Tap Mode: `fw_tap_enable=1`
4D	Save the changes in the file and exit the Vi editor.
5	Reboot the Security Gateway.
6	Make sure the Security Gateway loaded the new configuration: `fw ctl get int psl_tap_enable` `fw ctl get int fw_tap_enable`

Notes:

This configuration helps the Security Gateway process packets that arrive in the wrong or abnormal order (for example, TCP [SYN-ACK] arrives before TCP [SYN]).
This configuration helps the Security Gateway work better for the first 10-30 minutes when it processes connections, in which the TCP [SYN] packets did not arrive.
This configuration is also required when you use a TAP device or Mirror / Span ports with separated TX/RX queues.
This configuration will make the Mirror Port on Security Gateway work better for the first 10-30 minutes when processing connections, in which the TCP "SYN" packet did not arrive.
It is not possible to set the value of the kernel parameters psl_tap_enable and fw_tap_enable on-the-fly with the fw ctl set int <parameter> command (Issue ID 02386641).

Step 5 of 8: Configure the required Global Properties for the Security Gateway in SmartConsole

Step	Description
1	Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.
2	In the top left corner, click Menu > Global properties.
3A	Click the Stateful Inspection pane.
3B	In the Default Session Timeouts section: Change the value of the TCP session timeout from the default 3600 to 60 seconds. Change the value of the TCP end timeout from the default 20 to 5 seconds.
3C	In the Out of state packets section, you must clear all the boxes. Otherwise, the Security Gateway drops the traffic as out of state (because the traffic does not pass through the Security Gateway, it does not record the state information for the traffic).
4A	Click the Advanced page > Configure button.
4B	Click FireWall-1 > Stateful Inspection.
4C	Clear reject_x11_in_any.
4D	Click OK to close the Advanced Configuration window.
5	Click OK to close the Global Properties window.
6	Publish the SmartConsole session.

Step 6 of 8: Configure the required Access Control policy for the Security Gateway in SmartConsole

Step	Description
1	Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.
2	From the left navigation panel, click Security Policies.
3	Create a new policy and configure the applicable layers: At the top, click the + tab (or press CTRL T). On the Manage Policies tab, click Manage policies and layers. In the Manage policies and layers window, create a new policy and configure the applicable layers. Click Close. On the Manage Policies tab, click the new policy you created.
4	Create the Access Control rule that accepts all traffic: Source - `Any` Destination* - `Any` VPN* - `Any` Services & Applications* - `Any` Action* - `Accept` Install On - Object of Security Gateway in Monitor Mode
5	We recommend these Aggressive Aging settings for the most common TCP connections: In the SmartConsole, click Objects menu > Object Explorer. Open Services and select TCP. Search for the most common TCP connections in this network. Double-click the applicable TCP service. From the left tree, click Advanced. At the top, select Override default settings (on Domain Management Server, select Override global domain settings). Select Match for 'Any'. In the Aggressive aging section: Select Enable aggressive aging. Select Specific and enter 60. Click OK. Close the Object Explorer.
6	Publish the SmartConsole session.
7	Install the Access Control Policy on the Security Gateway object.

Step 7 of 8: Make sure the Security Gateway enabled the Monitor Mode for Software Blades

Step

Description

Connect to the command line on the Security Gateway.

Make sure the parameter fw_span_port_mode is part of the installed policy:

grep -A 3 -r fw_span_port_mode $FWDIR/state/local/*

The returned output must show :val (true).

Step 8 of 8: Connect the Security Gateway to the switch

Connect the Monitor Mode interface of the Security Gateway to the mirror or SPAN port on the switch.

For more information, see the: