Monitor Mode on Gaia OS and SecurePlataform OS

15/9/2014 Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

https://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResult 1/4

Solution ID: sk101670 9/15/2014

Monitor Mode on Gaia OS and SecurePlatform OS

Product: Security Gateway, Application Control, URL Filtering, IPS, DLP, Anti-Bot, Anti-Spam, Anti-Virus, Identity Awareness, Threat Emulation, Security Management, 2012 ModelsSecurity Appliances, Data Center Security Appliances, Security Gateway VEVersion: R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R76SP, R77, R77.10, R77.20Last Modified: 02-ago-2014

Solution

Table of Contents:

IntroductionSupport for Security Gateway bladesSupport for ClusterSupport for Management bladesLimitationsImportant NotesFAQRelated documentationRelated solutions

IntroductionThis articles describes Check Point support for Monitor Mode on Gaia OS and SecurePlatform OS by various products / blades / features indifferent deployments.

Monitor Mode can be configured on Check Point Security Gateway interfaces and allows Check Point Security Gateway to listen to traffic from aMirror Port or Span Port on a switch.

Monitor Mode on Check Point Security Gateway interface is usually configured to monitor and analyze network traffic without affecting theproduction environment.

You can use mirror ports in the following scenarios:

As a permanent part of your deployment, to monitor the use of applications in your organization.As an evaluation tool for the capabilities of the Application Control and IPS blades before you decide to purchase them.

Benefits of a mirror port include:

There is no risk to your production environment.It requires minimal set-up configuration.It does not require TAP equipment, which is much more expensive.

Notes:

The mirror port neither enforces any security policy, nor performs any active operations (prevent/drop/reject).Therefore, you can only use mirror port to evaluate the monitoring and detecting capabilities of the software blades.All duplicated packets arriving at the monitor interface of the Security Gateway are terminated and will not be forwarded in any way.Security Gateway in Monitor Mode does not send any traffic through the monitor interface.

Support for Security Gateway bladesMonitor Mode is fully supported (unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gatewaydeployment:

Blade Comments

Firewall None

IPS

The following will not work:

'SYN Attack' protection (SYNDefender)'Initial Sequence Number (ISN) Spoofing' protection'Send error page' action in Web Intelligence protectionsClient/Server notifications about connection termination

Application Control UserCheck is not supported

URL Filtering UserCheck is not supported

Data Loss Prevention'Prevent' and 'Ask User' actions will automatically be demoted to 'InformUser' actionUserCheck is not supportedFTP inspection is not supported

Bienvenido Cristian Vega | Salir



Identity Awareness Captive Portal is not supportedIdentity Agent is not supported

Anti-Bot None

Anti-Virus None

Threat Emulation None

Note: Monitor Mode is supported by Security Gateway VE Network mode.

Support for ClusterClusterXL / 3rd Party cluster is not supported in Monitor Mode.

Support for Management bladesMonitor Mode is fully supported for all Management Blades only on StandAlone machine (Management and Gateway on the same machine).

LimitationsThese features, Software Blades and deployments are not supported in Monitor Mode:

NATIPsec VPNHTTPS InspectionMobile AccessAnti-Spam & Email SecurityHTTP / HTTPS proxyQoSTraditional Anti-VirusUser authenticationClient authenticationCluster deploymentSecurity Gateway VE Hypervisor modeVSX R65 / R67 / R68 / R75.40VS

Important NotesSecurity Gateway in Monitor Mode must be connected to the Internet (for Cloud-based services - e.g., Social Network widgets and URLFiltering).

Valid license and Contracts file must be installed on Security Gateway in Monitor Mode.

To configure Monitor Mode on 41000 / 61000 Security System, refer to R76SP Administration Guide - Chapter 2 'System Configuration'- 'Port Mirroring (SPAN Port)'.

To configure Monitor Mode on SecurePlatform R75.20, the following hotfix must be installed (even if DLP is not used) - sk65390(Recommended Mirror Port mode hotfix for R75.20 Security Gateway running on SecurePlatform / Linux OS).

To configure Monitor Mode on UTM-1 / Power-1 appliances, updated e1000 NIC drivers must be installed from sk37503.

FAQClick Here to Show All

Do we support configuration of more than one Mirror Port?

Multiple Mirror Ports are supported with the following caveat: the Security Gateway must not see the same traffic twice on thedifferent interfaces.

Can a Security Gateway be used to pass production traffic through it and as a Mirror Port at the same time?

Not supported.

Do we need to disable Drop Out of State packets?

Yes.

How do you clear the events from SmartEvent?



Run the following commands:

[Expert@MirrorGW]# cpstop

[Expert@MirrorGW]# $CPDIR/database/postgresql/util/PostgreSQLCmd start

[Expert@MirrorGW]# $CPDIR/database/postgresql/bin/psql -p 18272 -U cp_postgres postgres -c "drop database events_db"

[Expert@MirrorGW]# $CPDIR/database/postgresql/util/PostgreSQLCmd stop

[Expert@MirrorGW]# cpstart

During policy installation, I get the error: The Topology information must be configured for object ..., interface ..., in order touse selected features

Anti-Spam blade and E-mail Security blade are not supported in a Mirror Port configuration. Make sure these blades are notenabled.

How can I make sure my Mirror Port is not being overrun by network traffic?

When on a Mirror Port, the device cannot control the flow of packets. If there is not enough CPU or memory resources to dealwith or buffer packets before inspection, packets could be dropped.It will not affect the traffic on the production network, but you could miss an event (which might have a bad outcome for aPoC).It is hard to know when peaks in network traffic happen, and you cannot monitor CPU all the time. You should closely monitorthe NIC statistics 1-2 times a day during first phase of the PoC to check that there are no RX drops / overruns on the MirrorPort interface.

Example:

[Expert@MirrorGW]# ifconfig eth1eth1 Link encap:Ethernet HWaddr 00:09:34:1C:39:A4UP BROADCAST RUNNING MULTICAST MTU:1500RX packets:20535957 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:3698852852 (3.4 GiB) TX bytes:0Interrupt:16

Contact Check Point Support for assistance if any of the following counters shows positive / increasing numbers:errorsdroppedoverrunscarriercollisions

I am not seeing Application Control / URL Filtering / DLP events on any TCP connections

Follow these steps on R75.4X (starting in R76, Hairpin Mode is not relevant).

Check if Hairpin Mode is enabled:

[Expert@MirrorGW]# cat /sys/class/net/br1/brif/eth1/hairpin_mode

Note: Path will vary based on Bridge (e.g., br1) and physical interface (e.g., eth1) used. If the returned value is 0 (zero), itmeans that the Hairpin Mode is disabled. In such case, enable it manually:

[Expert@MirrorGW]# echo 1 > /sys/class/net/br1/brif/eth1/hairpin_mode

Note: This command does not survive a reboot.To make this change permanent, add this 'echo 1 > ...' command at thebottom of the /etc/rc.d/rc.local script.

Related documentationSecurity Gateway Technical Administration Guide (R77) - Chapter 5 'Bridge Mode' - Configuring Monitor Mode.

Gaia Administration Guide (R75.40, R75.40VS, R76, R77).

SecurePlatform Administration Guide (R75.40, R75.40VS, R76, R77).

Command Line Interface Reference Guide (R75.20, R75.40, R75.40VS, R76, R77).

Related solutionssk92985 (Security Gateway in Monitor Mode does not block traffic)

sk88980 (How to configure a Security Policy for Mirror Port Use)

sk72640 (Optimizing Security Gateway Configuration for Mirror Port Use)

sk83500 (How to run a Mirror Port Proof of Concept (PoC))

sk70900 (How to configure Monitor Mode on DLP Security Gateway running Gaia OS R75.45 / R76 / R77 and above)

sk65390 (Mirror Port mode recommended hotfix for R75.20 Security Gateway on SecurePlatform OS)

sk101371 (Bridge Mode on Gaia OS and SecurePlatform OS)



Applies To:

This SK replaces sk72541

2014 Check Point Software Technologies Ltd. All rights reserved.

Check Point Software Technologies, Inc. is a wholly ownedsubsidiary of Check Point Software Technologies Ltd.

Documents

Monitor Mode on Gaia OS and SecurePlataform OS