Monitor Mode on SMB Appliances running Gaia Embedded OS
SMB Appliances running firmware R77.20.40 and above, can monitor traffic from a Mirror Port / Span Port on a switch.
Monitor Mode enhances the ability of the appliance to monitor and analyze traffic, without affecting the production environment. For example, you can monitor application usage in your organization, or evaluate Software Blade capabilities before you decide to purchase.
Since R77.20.70 it is possible to configure multiple local networks to be in monitor mode at the same time (not supported in 600/1100 appliances).
Configuring Monitor Mode
On the appliance, the outbound and inbound policies are separate. The appliance must be able to recognize the direction of traffic to apply the correct policy.
With Monitor Mode, the appliance uses
Automatic Learning or
User Defined networks to identify the traffic and enforce the policy.
The appliance identifies the local Default Gateway from requests to the Internet (specifically, requests to Google). The appliance makes sure that traffic to the Default Gateway is inspected by the Outbound Rule Base, and traffic from the Default Gateway is inspected by the Inbound Rule Base.
You can manually define Internal networks. Networks that are not defined as Internal, are considered to be External. This definition is for policy enforcement, not actual topology.
- Traffic to Internal hosts is inspected by the Inbound Rule Base.
- Traffic from Internal hosts is inspected by the Outbound Rule Base.
- Traffic from an external host to an external host is not inspected.
Enable Global monitoring
Before Configuring Monitor Mode in WebUI or CLI, you should Enable Global monitoring with the following CLI Command:
HostName:0> set monitor-mode-configuration allow-monitor-mode true
Note: starting from R77.20.51, the option to configure monitoring mode is available by default and not hidden.
Configuring Monitor Mode in WebUI
Configuration options for Monitor Mode are in the Device tab of the WebUI.
Open Local Network, and double-click the interface with Monitor Mode.
In the '
Edit' window, go to '
Configuration' tab - under the '
Interface Configuration' - '
Assigned To' drop-down menu, select '
Make sure the '
Manually defined internal networks' is not selected, if you want the appliance to use Automatic Learning to enforce policies.
If you want to use your own network definitions, click on '
Manually define internal networks'. The network definition features and table shows:
- Click '
New' to define an Internal network.
- Enter the IP address of the network.
- Enter the subnet of the network.
An internal network can be a 255.255.255.255 subnet, for one host.
For example, to monitor the traffic after the router, enter the IP address of the Default Gateway and the 255.255.255.255 subnet.
In Local Network, see that the Internal network is in the list, with '
Monitor Mode' in its name.
Configuring Monitor Mode in CLI
Define a port for Monitor Mode:
HostName:0> set interface <portName> monitor-mode
Configure Automatic Learning or user-defined networks:
To configure Monitor Mode Automatic Learning, disable user-defined networks:
HostName:0> set monitor-mode-configuration use-defined-networks false
To configure Monitor Mode with user-defined networks:
HostName:0> add monitor-mode-network ipv4-address <IP> subnet-mask <mask>
HostName:0> set monitor-mode-configuration use-defined-networks true
To see user-defined Internal networks:
HostName:0> show monitor-mode-network
If you do not see the '
Monitor Mode' option in the '
Interface Configuration' - '
Assigned To' drop-down menu:
- Open the '
Edit LAN1' Switch window.
- Remove the interface you want to monitor.
- In the '
Device' - '
Local Network' window, right-click the interface that you removed and select '
Monitor Mode will be the last option in the Assigned To drop-down menu.
To verify if Monitor Mode is working with tcpdump, run the following command:
tcpdump -i brS-LAN2 (in case LAN2 is configured as the Bridge for STP)
- Switches that output 802.1Q (VLAN) tagged packets (such as HP2920) are currently not supported.
- On 600/1100 appliances, it is highly recommended to configure LAN1, LAN2, LAN5, LAN6 or LAN7 for Monitor Mode.
- ClusterXL / 3rd Party cluster is not supported in Monitor Mode (from sk101670).