Deploying a Security Group in Monitor Mode

Introduction to Monitor Mode

You can configure Monitor Mode on one of the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.'s interfaces.

The Security Group listens to traffic from a Mirror Port (or Span Port) on a connected switch.

Use the Monitor Mode to analyze network traffic without changing the production environment.

The mirror port on a switch duplicates the network traffic and sends it to the Security Group with an interface configured in Monitor Mode to record the activity logs.

You can use the Monitor Mode:

To monitor the use of applications as a permanent part of your deployment
To evaluate the capabilities of the Software Blades:
- The Security Group neither enforces any security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., nor performs any active operations (prevent / drop / reject) on the interface in the Monitor Mode.
- The Security Group terminates and does not forward all packets that arrive at the interface in the Monitor Mode.
- The Security Group does not send any traffic through the interface in the Monitor Mode.

Benefits of the Monitor Mode include:

There is no risk to your production environment.
It requires minimal set-up configuration.
It does not require TAP equipment, which is expensive.

Example Topology for Monitor Mode

Item	Description
1	Switch with a mirror or SPAN port that duplicates all incoming and outgoing packets. The Security Group connects to a mirror or SPAN port on the switch.
2	Servers.
3	Clients.
4	Security Group with an interface in Monitor Mode.
5	Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. that manages the Security Group.

Supported Software Blades in Monitor Mode

This table lists Software Blades and their support for the Monitor Mode.

Software Blade	Support for the Monitor Mode
Firewall	Fully supports the Monitor Mode.
IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).	These protections and features do not work: The SYN Attack protection (SYNDefender). The Initial Sequence Number (ISN) Spoofing protection. The Send error page action in Web Intelligence protections. Client and Server notifications about connection termination.
Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.	Does not support UserCheck.
URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.	Does not support UserCheck.
Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP.	Does not support these: UserCheck. The "Prevent" and "Ask User" actions - these are automatically demoted to the "Inform User" action. FTP inspection.
Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.	Does not support these: Captive Portal. Identity Agent.
Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.	Does not support these: The Emulation Connection Prevent Handling Modes "Background" and "Hold". See sk106119. FTP inspection.
Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. See sk119715. Acronym: CTNT.	Does not support the FTP inspection.
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.	Fully supports the Monitor Mode.
Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.	Does not support the FTP inspection.
IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.	Does not support the Monitor Mode.
Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB.	Does not support the Monitor Mode.
Anti-Spam Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM. & Email Security	Does not support the Monitor Mode.
QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.	Does not support the Monitor Mode.

Limitations in Monitor Mode

These features and deployments are not supported in Monitor Mode:

Passing production traffic through a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., on which you configured Monitor Mode interface(s).
If you configure more than one Monitor Mode interface on a Security Gateway, you must make sure the Security Gateway does not receive the same traffic on the different Monitor Mode interfaces.
HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.
NAT rules.
HTTP / HTTPS proxy.
Anti-Virus in Traditional Mode.
User Authentication.
Client Authentication.
Check Point Active Streaming (CPAS).
Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. deployment.
CloudGuard Gateways.
CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Dynamic Dispatcher (sk105261).
Setting the value of the kernel parameters "psl_tap_enable" and "fw_tap_enable" to 1 (one) on-the-fly with the "fw ctl set int" command (Issue ID 02386641).

For more information, see sk101670: Monitor Mode on Gaia OS and SecurePlatform OS.