Mirror and Decrypt

The Mirror and Decrypt feature performs these actions on your Security Gateway / Cluster / Scalable Platform Security Group:

Action

Description

Only mirror of all traffic

Your Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. / Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. clones all traffic (including HTTPS without decryption) that passes through it, and sends it out of the designated physical interface.

Mirror and Decrypt of HTTPS traffic

Your Security Gateway / Cluster / Security Group clones all HTTPS traffic that passes through it, decrypts it, and sends it in clear-text out of the designated physical interface.

Note - If you wish to decrypt the HTTPS traffic, you must enable and configure the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. on your Security Gateway / Cluster / Security Group.

You can add a third-party Recorder or Packet-Broker in your environment and forward to it the traffic that passes through your Security Gateway / Cluster / Security Group.

This Recorder or Packet-Broker must work in monitor (promiscuous) mode to accept the decrypted and mirrored traffic from your Security Gateway / Cluster / Security Group.

Security Gateway / Cluster / Security Group works only with one Recorder, which is directly connected to a designated physical network interface (NIC) on the Check Point Security Gateway / Cluster / Security Group.

Example Topology and Traffic Flow:

Item

Description

1

First network that sends and receives traffic through the Security Gateway (2).

2

Security Gateway, through which networks (1) and (3) send and receive their traffic.

3

Second network that sends and receives traffic through the Security Gateway (2).

4

Designated physical interface on the Security Gateway (2).

5

Recorder, or Packet-Broker that works in a monitor (promiscuous) mode.

A

Traffic flow between the first network (1) and the Security Gateway (2).

B

Traffic flow between the second network (3) and the Security Gateway (2).

C

Flow of the decrypted and mirrored traffic from the Security Gateway (2) to the Recorder, or Packet-Broker (5).

Source MAC address of the decrypted and mirrored packets

Traffic

Source MAC address of the decrypted
and mirrored packets the Security Gateway /
Cluster / Security Group sends

Mirror only of all traffic

MAC address of the designated physical interface.

Mirror and Decrypt of HTTPS traffic

00:00:00:00:00:00