Mirror and Decrypt

The Mirror and Decrypt feature performs these actions on your Security Gateway / Cluster / Scalable Platform Security Group:

Action

Description

Only mirror of all traffic

Your Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. / Security Group clones all traffic (including HTTPS without decryption) that passes through it, and sends it out of the designated physical interface.

Mirror and Decrypt of HTTPS traffic

Your Security Gateway / Cluster / Security Group clones all HTTPS traffic that passes through it, decrypts it, and sends it in clear-text out of the designated physical interface.

Note - If you wish to decrypt the HTTPS traffic, you must enable and configure the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. on your Security Gateway / Cluster / Security Group.

You can add a third-party Recorder or Packet-Broker in your environment and forward to it the traffic that passes through your Security Gateway / Cluster / Security Group.

This Recorder or Packet-Broker must work in monitor (promiscuous) mode to accept the decrypted and mirrored traffic from your Security Gateway / Cluster / Security Group.

Security Gateway / Cluster / Security Group works only with one Recorder, which is directly connected to a designated physical network interface (NIC) on the Check Point Security Gateway / Cluster / Security Group.

Example Topology and Traffic Flow:

Item

Description

1

First network that sends and receives traffic through the Security Gateway (2).

2

Security Gateway, through which networks (1) and (3) send and receive their traffic.

3

Second network that sends and receives traffic through the Security Gateway (2).

4

Designated physical interface on the Security Gateway (2).

5

Recorder, or Packet-Broker that works in a monitor (promiscuous) mode.

A

Traffic flow between the first network (1) and the Security Gateway (2).

B

Traffic flow between the second network (3) and the Security Gateway (2).

C

Flow of the decrypted and mirrored traffic from the Security Gateway (2) to the Recorder, or Packet-Broker (5).

Source MAC address of the decrypted and mirrored packets

Traffic

Source MAC address of the decrypted
and mirrored packets the Security Gateway /
Cluster / Security Group sends

Mirror only of all traffic

MAC address of the designated physical interface.

Mirror and Decrypt of HTTPS traffic

00:00:00:00:00:00