Mirror and Decrypt Logs

To Mirror and Decrypt the traffic, you create special rules in the Access Control Policy.

The Mirror and Decrypt feature adds the applicable information to the regular Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. logs.

To see the Mirror and Decrypt logs in SmartConsole:

Item

Description

1

Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

2

From the left navigation panel, click Logs & Monitor > Logs.

3

In the search field, enter:

type:Control

4

Double-click on the log and refer to the More section.

The Mirror and Decrypt logs show this information in the More section > Mirror and Decrypt field:

Action

Description

Mirror only

Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. only mirrored the traffic.

Decrypt and mirror

Security Gateway / Cluster decrypted and mirrored the HTTP / HTTPS traffic

Note - This can be the case even for a clear-text HTTP connection, because the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. inspects it first (example is all connections that use proxy 8080).

Partial mirroring (HTTPS inspection Bypass)

Security Gateway / Cluster started to decrypt the traffic, but stopped later due to a Bypass ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. (for example, a rule with a Category).

Therefore, the mirrored connection is not complete.