Tuesday, April 10, 2012

Configuring span port with R75.x, how to

If you would like to demonstrate Check Point products to your customers or to make some trials in the production environment without risking of breaking something, it might be handy to use a span port.

This post is not about how to make a span port on your network switch, it is about proper configuration of your Check Point box.

To simplify things, let's assume you are running a standalone installation (quite useful for new product trials). You have to have two physical network interfaces: one for management and GUI connections, the other one to connect to a mirror port.

When installing the box, you need to assign an IP address to MGMT interface. Leave the second NIC unnumbered.

Once you have installed Check Point products on the box, you have to configure the second NIC to be ready for span port connectivity. To do that, go to sysconfig / network configurations / configure connection and choose "Define as connected to a mirror port".

This setting will create a new bridge interface with your second NIC in it.

In case you are running GAIA EA (as I am doing as we speak), sysconfig there is disabled. You have to go to GAIA WebUI. Enable the second NIC there and create a new bridge manually, then add NIC to it.

This is all for OS related configuration, the rest is in the SmartDashboard GUI.

When defining topology of your FW, set up MGMT interface as external, but disable anti-spoofing. The second unnumbered interface should have "undefined" topology.

Install policy, enable features you want to test. Now you are good to go.

Just one more tip. If you want good visibility on your internal network security situation, define span port for internal, not external interface of your actual production FW.

14 comments:

  1. Just to mention that there are hotfixes that make possible logging AppControl and DLP events.

    ReplyDelete
  2. I am not sure what you mean. I am running Application Control and DLP logs jsut fine on my customer mirror kit. You still have to change default protection settings from "internal networks" to "all" for AC and also configure internal networks for DLP.

    Do I miss something?

    ReplyDelete
  3. From my experience with R75.20, I have to install
    * mirror port fix for Linux/SPLAT (sk65390)
    * R75.20 DLP Hotfix

    May be these hotfixes are integrated in later versions,
    but if some one want to use 3D security report tool on dedicated machine with mirror port - R75.20 is only supported version by now.

    ReplyDelete
  4. OK, now i got it. Considering there is a VMware kit for 3D report, I had no need to install these hotfixes.

    Also, bpth AC and DLP seem to work fine on R75.40 EA, but I will keep an eye on them both, just in case.

    Please notice this post is not about 3D report, you may need span port for all kind of other reasons.

    ReplyDelete
  5. for me it's not work correctly .. i see trafic in the "firewall" and "IPS" in the tracker, but there is nothing in "application control"... i check that interface with mirror is selected as internal, i try 75.40 gaia, 75.45 splat today i will try 75.40 splat ... check that in rules app contr is only one any-any-allow ..

    ReplyDelete
  6. Do you have any AC policy on the box? Can you get AC updates? AC requires internet access from the FW to get app DB. also, mirrored port should not have any topology, it should be undefined.

    ReplyDelete
  7. I have only one FW policy, any-any-accept-log, one AC policy any-any-any recognized-allow-extended log;
    interface with mirror port is "network type" - internal, topology - undefined and IP 0.0.0.0
    db of AC is up to date

    i try to install patch from sk65390, but i have newer version of fw1 than in patch.

    the most difficult thin for me is that, why in firewall and IPS i see traffic from mirror port, but in AC there is nothing ...

    ReplyDelete
  8. check if AC gets access to the web. That might be the reason.

    ReplyDelete
  9. finally everything works ok on release 75.40 splat, the same configutarion on 75.40 gaia and 75.45 splat doesn't work...

    ReplyDelete
  10. Its not working.. I am able to see the traffic in firewall but no traffic in IPS and others blades..I am running Checkpoint UTM box with splat R76

    ReplyDelete
    Replies
    1. If you can see FW traffic, it is working. Check your IPS policy, check you can access Internet from your GW to get updates.

      Delete
    2. But when i filter with IPS in tracker it shows nothing (every packet shows green accepted only). we have enabled recommended protection & inspect all interfaces in IPS..as told by u when choosing "undifned" topology for mirror port we are not able push policy so have mentioned that one leads to internal network. thanks for quick reply

      Delete
    3. Check that IPS is set for all networks, not only internals. You FW can see traffic, that means IPS policy is ot set for proper analysis.

      Delete
  11. This comment has been removed by the author.

    ReplyDelete