Support Center > Search Results > SecureKnowledge Details
How to configure Monitor Mode on DLP Security Gateway running Gaia OS R75.45 / R76 / R77 and above
Solution

Table of Contents:

  • Introduction
  • Instructions for DLP Security Gateway R75.45
  • Instructions for DLP Security Gateway R76 / R77 and above
  • Related solutions

 

Introduction

Mirror Port Mode (Monitor Mode) allows Check Point Security Gateway to listen to traffic from a Mirror Port or Span Port on a switch - refer to sk101670 (Monitor Mode on Gaia OS and SecurePlatform OS).

Mirror Port on Check Point Security Gateway is usually configured to monitor and analyze network traffic without affecting the production environment. The mirror port duplicates the network traffic and records the activity in logs.

You can use mirror ports in the following scenarios:

  • As a permanent part of your deployment, to monitor the use of applications in your organization.
  • As an evaluation tool to see the capabilities of the Application Control and IPS blades before you decide to purchase them.

The mirror port does not enforce a policy and therefore you can only use it to evaluate the monitoring and detecting capabilities of the blades.

Benefits of a mirror port include:

  • There is no risk to your production environment.
  • It requires minimal set-up configuration.
  • It does not require TAP equipment, which is much more expensive.

 

Instructions for DLP Security Gateway R75.45 on Gaia OS / SecurePlatform OS

Background:

The Check Point R75.45 Data Loss Prevention Hotfix (combined with the Multi-Queue HotFix for R75.45 from sk80940) lets DLP Security Gateway use Mirror Port mode (Monitor mode) on Gaia OS / SecurePlatform OS.

After you install this hotfix, the DLP Security Gateway can run scans simultaneously - SMTP scan on Mirror Ports and scan e-mails sent from Outlook clients to the DLP Security Gateway with an Add-In.

Note: You can enable the Anti-Bot, IPS and Application Control Software Blades with the Hotfix, for demonstration purposes only.

 

Procedure:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  1. Download the Check Point R75.45 Data Loss Prevention Hotfix to your computer.

  2. UnPack the ZIP file.

  3. Follow the instructions in the CP_R75.45_DataLossPrevention_Hotfix_ReleaseNotes.pdf document to install the hotfix and Outlook Add-On.

  4. On Gaia OS, configure Monitor mode:

    1. Create a Bridge

      Important Note: Configure only one physical slave interface per Bridge (it is not supported to configure multiple monitored physical slave interfaces in a single Bridge). If you want to use multiple interfaces for Monitor Mode, then configure a separate Bridge for each interface.

      Note: Refer to R75.40 Gaia Administration Guide - Chapter 5 'Network Management' - Network Interfaces - Bridge Interfaces.

      • Either in Gaia Portal:

        1. Go to 'Network Management' pane - click on 'Network Interfaces'.
        2. Make sure that the relevant physical slave interface is enabled (Link Status is 'Up') and does not have an IP address assigned to it.
        3. Click on 'Add' button - select 'Bridge'.
        4. Set Bridge Group.
        5. Add single physical slave interface.
        6. Click on 'OK'.


      • Or in Clish:

        HostName> add bridging group GROUP_NUMBER interface NAME_of_PHYSICAL_SLAVE_INTERFACE
        HostName> save config
        
    2. Add each physical slave interface from each configured Bridge to the /etc/monitor_mode file:

      1. Log in to Expert mode.

      2. Create the file (if it does not already exist:

        [Expert@HostName]# touch /etc/monitor_mode

      3. Add the name of each physical slave interface from each configured Bridge on a separate line:

        name_of_physical_slave_interface_1
        name_of_physical_slave_interface_2
        name_of_physical_slave_interface_3
        
      4. Assign the relevant permissions to the /etc/monitor_mode file:

        [Expert@HostName]# chmod 444 /etc/monitor_mode

      5. Write-protect the /etc/monitor_mode file (add the Linux file system 'immutable' attribute):

        [Expert@HostName]# lsattr /etc/monitor_mode
        [Expert@HostName]# chattr +i /etc/monitor_mode
        [Expert@HostName]# lsattr /etc/monitor_mode
        
  5. Install security policy from SmartDashboard.

 

Additional steps for R75.40 Gaia and R75.40 Gaia+:

Enable "hairpining" to see TCP streams on the Span port.

  • To check the current state of the hairpining for a physical slave interface from a Bridge:

    [Expert@HostName]# cat /sys/class/net/<Name_of_Bridge_Interface>/brif/<Name_of_Physical_Slave_Interface>/hairpin_mode

    • 0 = disabled
    • 1 = enabled


  • To enable the hairpining for a physical slave interface from a Bridge on-the-fly:

    Note: Run this command for each physical slave interface from each configured Bridge.

    [Expert@HostName]# echo 1 > /sys/class/net/<Name_of_Bridge_Interface>/brif/<Name_of_Physical_Slave_Interface>/hairpin_mode

  • To enable the hairpining for a physical slave interface from a Bridge permanently:

    1. Edit the /etc/rc.d/rc.local script in Vi editor:

      [Expert@HostName]# vi /etc/rc.d/rc.local

    2. Add the following line for each physical slave interface from each configured Bridge:

      Note: Add the line before 'start' case ends, immediately after the line 'touch /var/lock/subsys/local'.

      echo 1 > /sys/class/net/<Name_of_Bridge_Interface>/brif/<Name_of_Physical_Slave_Interface>/hairpin_mode

    3. Save the changes in the file and exit from Vi editor.

    4. Reboot the Security Gateway.

 

Instructions for DLP Security Gateway R76 / R77 and above on Gaia OS

  1. Enable Monitor Mode on the relevant interface(s):

    Note: Refer to Gaia Administration Guide (R76, R77) - Chapter 5 'Network Management' - Network Interfaces.

    • Either in Gaia Portal:

      1. Go to 'Network Management' pane - click on 'Network Interfaces'.
      2. Make sure that the relevant physical interface is enabled (Link Status is 'Up') and does not have an IP address assigned to it.
      3. Select the relevant physical interface.
      4. Click on 'Edit' button.
      5. Go to 'Ethernet' tab.
      6. Check the box 'Monitor Mode'.
      7. Click on 'OK'.


    • Or in Clish:

      HostName> set interface NAME_of_PHYSICAL_SLAVE_INTERFACE monitor-mode on
      HostName> save config
      


  2. Enable DLP scanning for Mirror Port Mode:

    Note: Refer to Data Loss Prevention Administration Guide (R76, R77) - Chapter 2 'Installation and Configuration' - Configuring SMTP Mirror Port Mode.

    [Expert@HostName]# dlp_smtp_mirror_port enable
    [Expert@HostName]# dlp_smtp_mirror_port status
    

    Note: Security policy will be re-installed automatically.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment