15/9/2014 Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

https://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResult 1/4
Solution ID: sk101670 9/15/2014
Monitor Mode on Gaia OS and SecurePlatform OS
Product: Security Gateway, Application Control, URL Filtering, IPS, DLP, Anti-Bot, Anti-Spam, Anti-Virus, Identity Awareness, Threat Emulation, Security Management, 2012 Models
Security Appliances, Data Center Security Appliances, Security Gateway VE
Version: R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R76SP, R77, R77.10, R77.20
Last Modified: 02-ago-2014
Solution
Table of Contents:
Introduction
Support for Security Gateway blades
Support for Cluster
Support for Management blades
Limitations
Important Notes
FAQ
Related documentation
Related solutions

Introduction
This articles describes Check Point support for Monitor Mode on Gaia OS and SecurePlatform OS by various products / blades / features in
different deployments.
Monitor Mode can be configured on Check Point Security Gateway interfaces and allows Check Point Security Gateway to listen to traffic from a
Mirror Port or Span Port on a switch.
Monitor Mode on Check Point Security Gateway interface is usually configured to monitor and analyze network traffic without affecting the
production environment.
You can use mirror ports in the following scenarios:
As a permanent part of your deployment, to monitor the use of applications in your organization.
As an evaluation tool for the capabilities of the Application Control and IPS blades before you decide to purchase them.
Benefits of a mirror port include:
There is no risk to your production environment.
It requires minimal set-up configuration.
It does not require TAP equipment, which is much more expensive.
Notes:
The mirror port neither enforces any security policy, nor performs any active operations (prevent/drop/reject).
Therefore, you can only use mirror port to evaluate the monitoring and detecting capabilities of the software blades.
All duplicated packets arriving at the monitor interface of the Security Gateway are terminated and will not be forwarded in any way.
Security Gateway in Monitor Mode does not send any traffic through the monitor interface.

Support for Security Gateway blades
Monitor Mode is fully supported (unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gateway
deployment:
Blade Comments
Firewall None
IPS
The following will not work:
'SYN Attack' protection (SYNDefender)
'Initial Sequence Number (ISN) Spoofing' protection
'Send error page' action in Web Intelligence protections
Client/Server notifications about connection termination
Application Control UserCheck is not supported
URL Filtering UserCheck is not supported
Data Loss Prevention
'Prevent' and 'Ask User' actions will automatically be demoted to 'Inform
User' action
UserCheck is not supported
FTP inspection is not supported
Bienvenido Cristian Vega | Salir
15/9/2014 Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services
https://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResult 2/4
Identity Awareness
Captive Portal is not supported
Identity Agent is not supported
Anti-Bot None
Anti-Virus None
Threat Emulation None
Note: Monitor Mode is supported by Security Gateway VE Network mode.

Support for Cluster
ClusterXL / 3rd Party cluster is not supported in Monitor Mode.

Support for Management blades
Monitor Mode is fully supported for all Management Blades only on StandAlone machine (Management and Gateway on the same machine).

Limitations
These features, Software Blades and deployments are not supported in Monitor Mode:
NAT
IPsec VPN
HTTPS Inspection
Mobile Access
Anti-Spam & Email Security
HTTP / HTTPS proxy
QoS
Traditional Anti-Virus
User authentication
Client authentication
Cluster deployment
Security Gateway VE Hypervisor mode
VSX R65 / R67 / R68 / R75.40VS

Important Notes
Security Gateway in Monitor Mode must be connected to the Internet (for Cloud-based services - e.g., Social Network widgets and URL
Filtering).
Valid license and Contracts file must be installed on Security Gateway in Monitor Mode.
To configure Monitor Mode on 41000 / 61000 Security System, refer to R76SP Administration Guide - Chapter 2 'System Configuration'
- 'Port Mirroring (SPAN Port)'.
To configure Monitor Mode on SecurePlatform R75.20, the following hotfix must be installed (even if DLP is not used) - sk65390
(Recommended Mirror Port mode hotfix for R75.20 Security Gateway running on SecurePlatform / Linux OS).
To configure Monitor Mode on UTM-1 / Power-1 appliances, updated e1000 NIC drivers must be installed from sk37503.

FAQ
Click Here to Show All

Do we support configuration of more than one Mirror Port?
Multiple Mirror Ports are supported with the following caveat: the Security Gateway must not see the same traffic twice on the
different interfaces.
Can a Security Gateway be used to pass production traffic through it and as a Mirror Port at the same time?
Not supported.
Do we need to disable Drop Out of State packets?
Yes.
How do you clear the events from SmartEvent?
15/9/2014 Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services
https://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResult 3/4
Run the following commands:
[Expert@MirrorGW]# cpstop
[Expert@MirrorGW]# $CPDIR/database/postgresql/util/PostgreSQLCmd start
[Expert@MirrorGW]# $CPDIR/database/postgresql/bin/psql -p 18272 -U cp_postgres postgres -c "drop database events_db"
[Expert@MirrorGW]# $CPDIR/database/postgresql/util/PostgreSQLCmd stop
[Expert@MirrorGW]# cpstart
During policy installation, I get the error: The Topology information must be configured for object ..., interface ..., in order to
use selected features
Anti-Spam blade and E-mail Security blade are not supported in a Mirror Port configuration. Make sure these blades are not
enabled.
How can I make sure my Mirror Port is not being overrun by network traffic?
When on a Mirror Port, the device cannot control the flow of packets. If there is not enough CPU or memory resources to deal
with or buffer packets before inspection, packets could be dropped.
It will not affect the traffic on the production network, but you could miss an event (which might have a bad outcome for a
PoC).
It is hard to know when peaks in network traffic happen, and you cannot monitor CPU all the time. You should closely monitor
the NIC statistics 1-2 times a day during first phase of the PoC to check that there are no RX drops / overruns on the Mirror
Port interface.
Example:
[Expert@MirrorGW]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:09:34:1C:39:A4
UP BROADCAST RUNNING MULTICAST MTU:1500
RX packets:20535957 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3698852852 (3.4 GiB) TX bytes:0
Interrupt:16
Contact Check Point Support for assistance if any of the following counters shows positive / increasing numbers:
errors
dropped
overruns
carrier
collisions
I am not seeing Application Control / URL Filtering / DLP events on any TCP connections
Follow these steps on R75.4X (starting in R76, Hairpin Mode is not relevant).

Check if Hairpin Mode is enabled:
[Expert@MirrorGW]# cat /sys/class/net/br1/brif/eth1/hairpin_mode
Note: Path will vary based on Bridge (e.g., br1) and physical interface (e.g., eth1) used. If the returned value is 0 (zero), it
means that the Hairpin Mode is disabled. In such case, enable it manually:
[Expert@MirrorGW]# echo 1 > /sys/class/net/br1/brif/eth1/hairpin_mode
Note: This command does not survive a reboot.To make this change permanent, add this 'echo 1 > ...' command at the
bottom of the /etc/rc.d/rc.local script.

Related documentation
Security Gateway Technical Administration Guide (R77) - Chapter 5 'Bridge Mode' - Configuring Monitor Mode.
Gaia Administration Guide (R75.40, R75.40VS, R76, R77).
SecurePlatform Administration Guide (R75.40, R75.40VS, R76, R77).
Command Line Interface Reference Guide (R75.20, R75.40, R75.40VS, R76, R77).

Related solutions
sk92985 (Security Gateway in Monitor Mode does not block traffic)
sk88980 (How to configure a Security Policy for Mirror Port Use)
sk72640 (Optimizing Security Gateway Configuration for Mirror Port Use)
sk83500 (How to run a Mirror Port Proof of Concept (PoC))
sk70900 (How to configure Monitor Mode on DLP Security Gateway running Gaia OS R75.45 / R76 / R77 and above)
sk65390 (Mirror Port mode recommended hotfix for R75.20 Security Gateway on SecurePlatform OS)
sk101371 (Bridge Mode on Gaia OS and SecurePlatform OS)
15/9/2014 Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services
https://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResult 4/4
Applies To:
This SK replaces sk72541
2014 Check Point Software Technologies Ltd. All rights reserved.
Check Point Software Technologies, Inc. is a wholly owned
subsidiary of Check Point Software Technologies Ltd.