How to configure Monitor Mode on DLP Security Gateway running Gaia OS
Table of Contents:
Mirror Port Mode (Monitor Mode) allows Check Point Security Gateway to listen to traffic from a Mirror Port or SPAN Port on a switch - refer to sk101670 -Monitor Mode on Gaia OS and SecurePlatform OS.
Mirror Port on Check Point Security Gateway is usually configured to monitor and analyze network traffic without affecting the production environment. The mirror port duplicates the network traffic and records the activity in logs.
You can use mirror ports in the following scenarios:
- As a permanent part of your deployment, to monitor the use of applications in your organization.
- As an evaluation tool to see the capabilities of the Application Control and IPS blades before you decide to purchase them.
The mirror port does not enforce a policy and therefore you can only use it to evaluate the monitoring and detecting capabilities of the blades.
Benefits of a mirror port include:
- There is no risk to your production environment.
- It requires minimal set-up configuration.
- It does not require TAP equipment, which is much more expensive.
Important: For R77.10 and higher, Mirror Port Mode scanning is enabled by default when one of the interfaces is configured as monitor mode or tap. For R77 and below, you must manually enable Mirror Port Mode.
Instructions for DLP Security Gateway R76 / R77.x / R80.x on Gaia OS
Enable Monitor Mode on the relevant interface(s):
Note: Refer to Gaia Administration Guide (R76, R77, R80.10) - Chapter 5 'Network Management' - Network Interfaces.
Enable DLP scanning for Mirror Port Mode:
Note: Refer to Data Loss Prevention Administration Guide (R76, R77, R80.10) - Chapter 2 'Installation and Configuration' - Configuring SMTP Mirror Port Mode.
[Expert@HostName]# dlp_smtp_mirror_port enable
[Expert@HostName]# dlp_smtp_mirror_port status
Note: Security policy will be re-installed automatically.
Instructions for DLP Security Gateway R75.45 on Gaia OS / SecurePlatform OS
The Check Point R75.45 Data Loss Prevention Hotfix (combined with the Multi-Queue HotFix for R75.45 from sk80940) lets DLP Security Gateway use Mirror Port mode (Monitor mode) on Gaia OS / SecurePlatform OS.
After you install this hotfix, the DLP Security Gateway can run scans simultaneously - SMTP scan on Mirror Ports and scan e-mails sent from Outlook clients to the DLP Security Gateway with an Add-In.
Note: You can enable the Anti-Bot, IPS and Application Control Software Blades with the Hotfix, for demonstration purposes only.
Note: In cluster environment, this procedure must be performed on all members of the cluster.
- Download the Check Point R75.45 Data Loss Prevention Hotfix to your computer.
- UnPack the ZIP file.
- Follow the instructions in the CP_R75.45_DataLossPrevention_Hotfix_ReleaseNotes.pdf document to install the hotfix and Outlook Add-On.
On Gaia OS, configure Monitor mode:
Create a Bridge
Important Note: Configure only one physical slave interface per Bridge (it is not supported to configure multiple monitored physical slave interfaces in a single Bridge). If you want to use multiple interfaces for Monitor Mode, then configure a separate Bridge for each interface.
Note: Refer to R75.40 Gaia Administration Guide - Chapter 5 'Network Management' - Network Interfaces - Bridge Interfaces.
Add each physical slave interface from each configured Bridge to the
- Log in to Expert mode.
Create the file (if it does not already exist:
[Expert@HostName]# touch /etc/monitor_mode
Add the name of each physical slave interface from each configured Bridge on a separate line:
Assign the relevant permissions to the
[Expert@HostName]# chmod 444 /etc/monitor_mode
/etc/monitor_mode file (add the Linux file system '
[Expert@HostName]# lsattr /etc/monitor_mode
[Expert@HostName]# chattr +i /etc/monitor_mode
[Expert@HostName]# lsattr /etc/monitor_mode
- Install security policy from SmartDashboard.
Additional steps for R75.40 Gaia and R75.40 Gaia+:
Show / Hide this Section
Enable "hairpining" to see TCP streams on the Span port.
To check the current state of the hairpining for a physical slave interface from a Bridge:
[Expert@HostName]# cat /sys/class/net/<Name_of_Bridge_Interface>/brif/<Name_of_Physical_Slave_Interface>/hairpin_mode
To enable the hairpining for a physical slave interface from a Bridge on-the-fly:
Note: Run this command for each physical slave interface from each configured Bridge.
[Expert@HostName]# echo 1 > /sys/class/net/<Name_of_Bridge_Interface>/brif/<Name_of_Physical_Slave_Interface>/hairpin_mode
To enable the hairpining for a physical slave interface from a Bridge permanently:
/etc/rc.d/rc.local script in Vi editor:
[Expert@HostName]# vi /etc/rc.d/rc.local
Add the following line for each physical slave interface from each configured Bridge:
Note: Add the line before '
start' case ends, immediately after the line '
echo 1 > /sys/class/net/<Name_of_Bridge_Interface>/brif/<Name_of_Physical_Slave_Interface>/hairpin_mode
- Save the changes in the file and exit from Vi editor.
- Reboot the Security Gateway.