https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198663#M37204 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;,</P><P>The "track" option for policy rules are set to "Log".</P><P>I might found out the cause of it.</P><P>The profile "Optimized" is being used. By following the admin guide to set up the gateway in monitor mode, the "Activation Mode" will be needed to change from "Prevent" to "Detect". When changing the default "Optimized" profile, SmartConsole will prompt automatically asking you to create another cloned profile of the default "Optimized" profile since the default profile cannot be modify.</P><P>After modified profile had been cloned out, I did not notice that the "Protection" of the IPS Protection are mostly Inactive. After enabled most of the "Protection" of the IPS Protection of the profile then I am able to see some of IPS logs again.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-11-22 223505.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23373i983BA2E7744D8A90/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-11-22 223505.png" alt="Screenshot 2023-11-22 223505.png" /></span></P><P>&nbsp;</P><P>Appreciate for the help</P><P>Thank you</P> Wed, 22 Nov 2023 14:36:06 GMT BigHec 2023-11-22T14:36:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198609#M37192 <P>Hi All,</P><P>Recently I have setup a gateway as Monitor Mode and to capture all the traffics within the network.</P><P>I have configured the gateway according these guideline:</P><P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/Configuring-Single-Security-Gateway-in-Monitor-Mode.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/Configuring-Single-Security-Gateway-in-Monitor-Mode.htm</A></P><P>The gateway has configured a Monitor port and is connected to a switch port configured as SPAN port to mirror all the traffics.</P><DIV class="">&nbsp;</DIV><P>After monitored for 1 day, we can see the firewall logs are working fine, we able to see all the network traffics.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-11-22 143244.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23356i8FBE093D98289BA7/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-11-22 143244.png" alt="Screenshot 2023-11-22 143244.png" /></span></P><P>&nbsp;</P><P>But when I try to search for logs related to IPS, Anti-Bot and Anti-Virus (Monitor mode so the threat prevention is set as all "Detect")</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1232131132.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23357i2BA972A492A00C82/image-size/large?v=v2&amp;px=999" role="button" title="1232131132.png" alt="1232131132.png" /></span></P><P>Is this a normal behavior? Because this seems like a little less for IPS logs for me. For what i expect is to see more of the threat prevention related logs.</P><P>Is there any settings that I've missed out on the gateway?</P><P>Appreciate for all the help</P><P>&nbsp;</P><P>Thank you</P> Wed, 22 Nov 2023 06:46:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198609#M37192 BigHec 2023-11-22T06:46:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198610#M37193 <P>FYI, this gateway previously has internet access but the internet access had been cut off after that. So now the gateway does has Application, IPS, Anti-Bot and Anti-Virus of previous version and not the latest version.</P><P>&nbsp;</P><P>Blades Enabled:</P><P>Firewall<BR />Application Control<BR />URL Filtering<BR />IPS (Detect Only)<BR />Anti-Bot&nbsp;(Detect Only)<BR />Anti-Virus&nbsp;(Detect Only)</P> Wed, 22 Nov 2023 06:52:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198610#M37193 BigHec 2023-11-22T06:52:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198611#M37194 <P>Starting with the basics what "track" option is set for the policy rules currently, detailed / extended log or other?</P> <P>Click on the arrow in the track cell and select more to see additional options e.g.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Track.png" style="width: 314px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23358iF4E63D49BC82BBF5/image-size/large?v=v2&amp;px=999" role="button" title="Track.png" alt="Track.png" /></span></P> <P>Typically in monitor mode we won't have things like HTTPS inspection which will also limit visibility into traffic.</P> <P>With that said what Threat Prevention Profile is currently used?</P> <P>&nbsp;</P> Wed, 22 Nov 2023 07:01:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198611#M37194 Chris_Atkinson 2023-11-22T07:01:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198663#M37204 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;,</P><P>The "track" option for policy rules are set to "Log".</P><P>I might found out the cause of it.</P><P>The profile "Optimized" is being used. By following the admin guide to set up the gateway in monitor mode, the "Activation Mode" will be needed to change from "Prevent" to "Detect". When changing the default "Optimized" profile, SmartConsole will prompt automatically asking you to create another cloned profile of the default "Optimized" profile since the default profile cannot be modify.</P><P>After modified profile had been cloned out, I did not notice that the "Protection" of the IPS Protection are mostly Inactive. After enabled most of the "Protection" of the IPS Protection of the profile then I am able to see some of IPS logs again.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-11-22 223505.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23373i983BA2E7744D8A90/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-11-22 223505.png" alt="Screenshot 2023-11-22 223505.png" /></span></P><P>&nbsp;</P><P>Appreciate for the help</P><P>Thank you</P> Wed, 22 Nov 2023 14:36:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198663#M37204 BigHec 2023-11-22T14:36:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198674#M37207 <P>Indeed the different IPS profiles have varying activation metrics (confidence/performance etc) for protections which ultimately determines which are inactive etc.</P> <P>If you want to also see AppC / URLF logs you will&nbsp; need to also adjust that 'log' option.</P> Wed, 22 Nov 2023 15:10:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198674#M37207 Chris_Atkinson 2023-11-22T15:10:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198678#M37208 <P>Am I unable to see any logs related to AppC/ URLF if the track option is set to "Log"?</P> Wed, 22 Nov 2023 15:16:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198678#M37208 BigHec 2023-11-22T15:16:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198680#M37209 <P>Please refer: <A href="https://support.checkpoint.com/results/sk/sk120536" target="_blank">https://support.checkpoint.com/results/sk/sk120536</A></P> Wed, 22 Nov 2023 15:20:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198680#M37209 Chris_Atkinson 2023-11-22T15:20:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198772#M37225 <P>Independent of your Threat Prevention configuration, traffic cannot actually be prevented if you’re only receiving the traffic via a span/monitor port.</P> Thu, 23 Nov 2023 14:19:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-setup-as-Monitor-Mode-but-does-not-seems-to-have-much/m-p/198772#M37225 PhoneBoy 2023-11-23T14:19:41Z