topic Re: R1200 Gateway Monitor Interface in Spark Firewall (SMB)

R1200 Gateway Monitor Interface

Patricio_Cachac — Sat, 09 Jun 2018 22:24:06 GMT

Hi all,

I have a R1200 gateway with a interface running in monitor mode with a mirror on a switch pointing to the monitor interfaces. We notice that after we connect the interface to the switch all the tcp session that where already estabilshed dont see in the logs or application categorization, only tcp sessions that the syn-synack and ack was seen in the monitor mode appers in the log/events. Is this behavior normal for a monitor interface.

Thanks

Patricio

Re: R1200 Gateway Monitor Interface

PhoneBoy — Sun, 10 Jun 2018 00:37:50 GMT

By default, connections where the TCP handshake is not observed are considered "out of state" and would be dropped if the gateway were inline.

As such, what you're seeing is expected behavior.

You can disable this "out of state" check a couple of ways:

How to configure the Security Gateway to drop Out of State TCP packets (if managed by SmartCenter)
How to enable/disable Out of State inspection on a Security Gateway without performing a policy installation (should work even if locally managed, but setting does not survive a reboot)

Note this applies for all interfaces (not just mirror port).

Re: R1200 Gateway Monitor Interface

Patricio_Cachac — Sun, 10 Jun 2018 13:01:51 GMT

Hi,

Thanks for the reply. We already have use that option but with no success. The setup that we have is the R1200 with a interface in monitor mode capturing all the traffic from the switch, the traffic is a mix from tcp and udp, for udp we don’t have this issue but for tcp we don’t see any traffic as all the sessions are already stablished and we can not reset then as this is an industrial environment with SCADA traffic.

Thanks for your help,

Patricio

Re: R1200 Gateway Monitor Interface

PhoneBoy — Mon, 11 Jun 2018 01:23:29 GMT

UDP traffic is stateless, so that makes sense.

Are you managing the 1200R locally or using a SmartCenter management?

Re: R1200 Gateway Monitor Interface

Patricio_Cachac — Mon, 11 Jun 2018 05:58:16 GMT

Hi,

We are managing with smart center.

Thanks

Re: R1200 Gateway Monitor Interface

G_W_Albrecht — Tue, 12 Jun 2018 12:31:56 GMT

You did configure it using sk112572 Monitor Mode on SMB appliances running Gaia Embedded OS ?

Re: R1200 Gateway Monitor Interface

Paulo_Rosa — Fri, 13 Jul 2018 23:02:24 GMT

Same problem.

Checkpoint cant decode estabilished sessions working on monitor mode, this is big problem for scada.

On SCADA tcp sessions ,can last open , for months or years , since the RFP don't seems to enforce any timeout, is up to the SCADA vendor to define.

In the end if you put checkpoint in monitor mode and connect to scada network via port mirror .... YOU WILL SEE NOTHING !!!

Re: R1200 Gateway Monitor Interface

PhoneBoy — Mon, 16 Jul 2018 16:13:58 GMT

Application Control can only identify traffic it sees enough traffic on in order to make a determination.

It's quite possible that there is so little traffic being seen that it's unable to say, conclusively, "it's Application X."

Please get packet traces of the relevant traffic and open a TAC case so we can investigate.

Re: R1200 Gateway Monitor Interface

PhoneBoy — Wed, 01 Aug 2018 17:41:39 GMT

Did you by chance try this? How to activate inspection on internal traffic on 600/700/1100/1200R/1400 appliances

Re: R1200 Gateway Monitor Interface

Marco_Vicente1 — Wed, 01 Aug 2018 20:24:37 GMT

Yes, that as been tried.

The point here is that even in monitor mode we need to see the TCP 3 way handshake to detect a session being formed. After this we can see the scada commands inside the TCP session.

However, if the gateway reboots for example, you will loose visibility on the already established sessions.

This will force the costumer to reset the TCP sessions on the scada devices or at least to have someone looking on them, rebooting them, and so on...

In very large environments that is not pratical in the costumer perspective