Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems

Workflow for several Virtual Systems:

1. Enable the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. in the objects of applicable Virtual Systems (for decrypting the HTTPS traffic).

   Procedure

   Step	Instructions
   a	Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
   b	From the left navigation panel, click Gateways & Servers.
   c	Open the Virtual System object.
   d	From the navigation tree, click HTTPS Inspection.
   e	View and export the certificate.
   f	Check Enable HTTPS Inspection.
   g	Click OK.

2. Configure the HTTPS Inspection Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. (for decrypting the HTTPS traffic).

   Procedure

   Step	Instructions
   a	From the left navigation panel, click Security Policies.
   b	From the left tree, click HTTPS Inspection.
   d	Configure the HTTPS Inspection Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base. See R80.40 Security Management Administration Guide. For more settings, in the HTTPS Tools section, click Additional Settings.
   e	Publish the SmartConsole session.

3. Define the designated physical interface as VLAN Trunk in the object of the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., or VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

   Procedure

   Note - If the Recorder or Packet-Broker connects to the VSX Gateway, or VSX Cluster members through a Switch, configure a VLAN Trunk on the applicable Switch port. The VLAN Trunk port on the Switch must accept all VLAN IDs that you configure in the applicable Virtual Systems.

   Step	Instructions
   1	In SmartConsole, open the object of the VSX Gateway, or VSX Cluster.
   2	From the navigation tree, click Physical Interfaces.
   3	Check the box VLAN Trunk near the designated physical interface.
   4	Click OK.

4. Add the designated physical interface in the object of each applicable Virtual System.

   Procedure

   Step	Instructions
   a	In SmartConsole, open the Virtual System object.
   b	From the navigation tree, click Topology.
   c	From the top toolbar, click New > Regular.
   d	On the General tab: In the Interface field, select the designated physical interface. In the IPv4 Configuration section: In the IP Address field, enter a dummy IP address. In the Net Mask field, enter the applicable net mask. Important - This IP address cannot collide with other IP addresses used in your environment. This IP address cannot belong to subnets used in your environment. Make sure to configure the correct subnet mask. After you enable traffic mirroring on this interface in SmartConsole, all other traffic that is routed to this interface is dropped. Do not check the Propagate route to adjacent Virtual Devices (IPv4). In the MTU field, enter the applicable MTU. See Mirror and Decrypt Requirements. In the Security Zone field, leave the default None. Click OK.

5. Activate the Mirror and Decrypt in the object of each applicable Virtual System.

   Procedure

   Step	Instructions
   a	From the left navigation panel, click Gateways & Servers.
   b	Open the Virtual System object.
   c	From the left tree, click the [+] near the Other and click Mirror and Decrypt.
   d	Check Mirror gateway traffic to interface. The Mirror and Decrypt - User Disclaimer window opens. Read the text carefully. Check I agree to the terms and conditions. Click OK to accept and close the disclaimer.
   e	In the Mirror gateway traffic to interface field, select the designated physical interface.
   f	Click OK to save the changes and close the Virtual System properties window.

6. Configure the Mirror and Decrypt rules in the Access Control Policy for the traffic you wish to mirror and decrypt.

   Procedure

   >	Best Practice - We recommend you to configure a new separate Access Control Layer to contain Mirror and Decrypt rules. Alternatively, you can configure the Mirror and Decrypt rules in the regular Rule Base.

   Important - When you configure the Mirror and Decrypt rules, these limitations apply: In the Mirror and Decrypt rules, you must not select Content criteria, such as Application, URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF., Service matched by IP Protocol, Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT.. Above the Mirror and Decrypt rules, you must not configure other rules that contain Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness. You must configure rules that contain an excluded source or an excluded destination above the Mirror and Decrypt rules. The Name column of these rules cannot contain these strings: <M&D>, <M&d>, <m&D>, or <m&d>.

   The procedure below describes how to configure the Mirror and Decrypt rules in a separate Access Control Layer:

   Step	Instructions
   a	From the left navigation panel, click Security Policies.
   b	Create a new Access Control Layer in the Access Control Policy.
   c	In SmartConsole top left corner, click Menu > Manage policies and layers.
   d	Select the existing policy and click Edit (the pencil icon). Alternatively, create a new policy.
   e	From the navigation tree of the Policy window, click General.
   f	In the Policy Types section, make sure you select only the Access Control.
   g	In Access Control section, click on the + (plus) icon. A pop up window opens.
   h	In the top right corner of this pop up window, click New Layer. The Layer Editor window opens.
   i	From the navigation tree of the Layer Editor window, click General.
   j	In the Blades section, make sure you select only the Firewall.
   k	On other pages of the Layer Editor window, configure additional applicable settings. Click OK.
   l	In the Access Control section, you see the Network Layer and the new Access Control Layer.
   m	Click OK to save the changes and close the Policy window.
   n	In SmartConsole, at the top, click the tab of the applicable policy.
   o	In the Access Control section, click the new Access Control Layer. In the default rule, you must change the Action column from Drop to Accept to not affect the policy enforcement: Name - Your text Important - You cannot use these strings: <M&D>, <M&d>, <m&D>, or <m&d> Source - *Any Destination - *Any VPN - *Any Services & Applications - *Any Action - Must contain Accept Track - None Install On - *Policy Targets
   p	Above the existing Cleanup rule, add the applicable rules for the traffic you wish to Mirror and Decrypt. You must configure the Mirror and Decrypt rules as follows: Name - Must contain one of these strings (the angle brackets <> are mandatory): <M&D> <M&d> <m&D> <m&d> Source - Select the applicable objects Destination - Select the applicable objects VPN - Must leave the default *Any Services & Applications - Select the applicable services (to decrypt the HTTPS traffic, select the applicable HTTP, HTTPS, or Proxy services) Action - Must contain Accept Track - Select the applicable option (None, Log, or Alert) Install On - Must contain one of these objects: *Policy Targets (this is the default) The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., or Cluster object, whose version is R80.20 or higher
   	Important: In the Mirror and Decrypt rules, you must not select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness. Above the Mirror and Decrypt rules, you must not configure other rules that contain Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness. You must configure rules that contain an excluded source or an excluded destination above the Mirror and Decrypt rules. The Name column of these rules cannot contain these strings: <M&D>, <M&d>, <m&D>, or <m&d>.
   q	Publish the SmartConsole session.
   r	Install the Access Control Policy.
   s	If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for this rule by the Access Rule Name, which contains the configured string: <M&D>, <M&d>, <m&D>, or <m&d>.