Deploying a Security Group in Monitor Mode

Introduction to Monitor Mode

You can configure Monitor Mode on one of the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.'s interfaces.

The Security Group listens to traffic from a Mirror Port (or Span Port) on a connected switch.

Use the Monitor Mode to analyze network traffic without changing the production environment.

The mirror port on a switch duplicates the network traffic and sends it to the Security Group with an interface configured in Monitor Mode to record the activity logs.

You can use the Monitor Mode:

To monitor the use of applications as a permanent part of your deployment
To evaluate the capabilities of the Software Blades:
- The Security Group neither enforces any security policy, nor performs any active operations (prevent / drop / reject) on the interface in the Monitor Mode.
- The Security Group terminates and does not forward all packets that arrive at the interface in the Monitor Mode.
- The Security Group does not send any traffic through the interface in the Monitor Mode.

Benefits of the Monitor Mode include:

There is no risk to your production environment.
It requires minimal set-up configuration.
It does not require TAP equipment, which is expensive.

Example Topology for Monitor Mode

Item	Description
1	Switch with a mirror or SPAN port that duplicates all incoming and outgoing packets. The Security Group connects to a mirror or SPAN port on the switch.
2	Servers.
3	Clients.
4	Security Group with an interface in Monitor Mode.
5	Security Management Server that manages the Security Group.

Supported Software Blades in Monitor Mode

This table lists Software Blades and their support for the Monitor Mode.

Software Blade	Support for the Monitor Mode
Firewall	Fully supports the Monitor Mode.
IPS	These protections and features do not work: The SYN Attack protection (SYNDefender). The Initial Sequence Number (ISN) Spoofing protection. The Send error page action in Web Intelligence protections. Client and Server notifications about connection termination.
Application Control	Does not support UserCheck.
URL Filtering	Does not support UserCheck.
Data Loss Prevention	Does not support these: UserCheck. The "Prevent" and "Ask User" actions - these are automatically demoted to the "Inform User" action. FTP inspection.
Identity Awareness	Does not support these: Captive Portal. Identity Agent.
Threat Emulation	Does not support these: The Emulation Connection Prevent Handling Modes "Background" and "Hold". See sk106119. FTP inspection.
Content Awareness	Does not support the FTP inspection.
Anti-Bot	Fully supports the Monitor Mode.
Anti-Virus	Does not support the FTP inspection.
IPsec VPN	Does not support the Monitor Mode.
Mobile Access	Does not support the Monitor Mode.
Anti-Spam & Email Security	Does not support the Monitor Mode.
QoS	Does not support the Monitor Mode.

Limitations in Monitor Mode

These features and deployments are not supported in Monitor Mode:

Passing production traffic through a Security Gateway, on which you configured Monitor Mode interface(s).
If you configure more than one Monitor Mode interface on a Security Gateway, you must make sure the Security Gateway does not receive the same traffic on the different Monitor Mode interfaces.
HTTPS Inspection
NAT rules.
HTTP / HTTPS proxy.
Anti-Virus in Traditional Mode.
User Authentication.
Client Authentication.
Check Point Active Streaming (CPAS).
Cluster deployment.
CloudGuard Gateways.
CoreXL Dynamic Dispatcher (sk105261).
Setting the value of the kernel parameters "psl_tap_enable" and "fw_tap_enable" to 1 (one) on-the-fly with the "fw ctl set int" command (Issue ID 02386641).

For more information, see sk101670: Monitor Mode on Gaia OS and SecurePlatform OS.