Deploying a Security Group in Monitor Mode

Introduction to Monitor Mode

You can configure Monitor Mode on one of the Security Group's interfaces.

The Security Group listens to traffic from a Mirror Port (or Span Port) on a connected switch.

Use the Monitor Mode to analyze network traffic without changing the production environment.

The mirror port on a switch duplicates the network traffic and sends it to the Security Group with an interface configured in Monitor Mode to record the activity logs.

You can use the Monitor Mode:

  • To monitor the use of applications as a permanent part of your deployment

  • To evaluate the capabilities of the Software Blades:

    • The Security Group neither enforces any security policy, nor performs any active operations (prevent / drop / reject) on the interface in the Monitor Mode.

    • The Security Group terminates and does not forward all packets that arrive at the interface in the Monitor Mode.

    • The Security Group does not send any traffic through the interface in the Monitor Mode.

Benefits of the Monitor Mode include:

  • There is no risk to your production environment.

  • It requires minimal set-up configuration.

  • It does not require TAP equipment, which is expensive.

Example Topology for Monitor Mode

Item

Description

1

Switch with a mirror or SPAN port that duplicates all incoming and outgoing packets.

The Security Group connects to a mirror or SPAN port on the switch.

2

Servers.

3

Clients.

4

Security Group with an interface in Monitor Mode.

5

Security Management Server that manages the Security Group.

Supported Software Blades in Monitor Mode

This table lists Software Blades and their support for the Monitor Mode.

Software Blade

Support for the Monitor Mode

Firewall

Fully supports the Monitor Mode.

IPS

These protections and features do not work:

  • The SYN Attack protection (SYNDefender).

  • The Initial Sequence Number (ISN) Spoofing protection.

  • The Send error page action in Web Intelligence protections.

  • Client and Server notifications about connection termination.

Application Control

Does not support UserCheck.

URL Filtering

Does not support UserCheck.

Data Loss Prevention

Does not support these:

  • UserCheck.

  • The "Prevent" and "Ask User" actions - these are automatically demoted to the "Inform User" action.

  • FTP inspection.

Identity Awareness

Does not support these:

  • Captive Portal.

  • Identity Agent.

Threat Emulation

Does not support these:

  • The Emulation Connection Prevent Handling Modes "Background" and "Hold". See sk106119.

  • FTP inspection.

Content Awareness

Does not support the FTP inspection.

Anti-Bot

Fully supports the Monitor Mode.

Anti-Virus

Does not support the FTP inspection.

IPsec VPN

Does not support the Monitor Mode.

Mobile Access

Does not support the Monitor Mode.

Anti-Spam & Email Security

Does not support the Monitor Mode.

QoS

Does not support the Monitor Mode.

Limitations in Monitor Mode

These features and deployments are not supported in Monitor Mode:

  • Passing production traffic through a Security Gateway, on which you configured Monitor Mode interface(s).

  • If you configure more than one Monitor Mode interface on a Security Gateway, you must make sure the Security Gateway does not receive the same traffic on the different Monitor Mode interfaces.

  • HTTPS Inspection

  • NAT rules.

  • HTTP / HTTPS proxy.

  • Anti-Virus in Traditional Mode.

  • User Authentication.

  • Client Authentication.

  • Check Point Active Streaming (CPAS).

  • Cluster deployment.

  • CloudGuard Gateways.

  • CoreXL Dynamic Dispatcher (sk105261).

  • Setting the value of the kernel parameters "psl_tap_enable" and "fw_tap_enable" to 1 (one) on-the-fly with the "fw ctl set int" command (Issue ID 02386641).

For more information, see sk101670: Monitor Mode on Gaia OS and SecurePlatform OS.