This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
maxtaan
Contributor
‎2025-02-26 03:36 AM

SPAN or Mirror Port in Maestro

Hello Mates!!

Is configuring a SPAN/Mirror port from the MHO or within a Maestro setup possible? If so, could you provide the relevant configuration steps and any official documentation or SecureKnowledge (SK) articles?

Looking forward to your expert guidance.

Thanks in advance.

0 Kudos
5 Replies
AkosBakos
Mentor Mentor
Mentor
‎2025-02-26 03:52 AM

Hi @maxtaan 

Here is the common guide of monitor port. https://support.checkpoint.com/results/sk/sk101670

To configure Monitor Mode on a 40000 / 60000 Scalable Platform or Maestro that runs an R80SP.20 or higher release, refer to the corresponding R80SP.X Scalable Platforms Administration Guide, or Maestro Next Generation Security Gateway R80.20SP Guide - Chapter 'Deploying a Security Group in Monitor Mode'.

I hope it make sense.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-02-26 04:00 AM

To clarify do you want the system to originate or receive the mirrored traffic?

Would this not be possible from the adjacent network elements?

CCSM R77/R80/ELITE
0 Kudos
maxtaan
Contributor
‎2025-02-26 09:27 PM
In response to Chris_Atkinson

Hello @Chris_Atkinson 

It may be possible from the adjacent network elements, but I want to send mirror traffic to QRADAR. There are different switches between the MZ and DMZ firewalls, but the MHO is the same. If we do it from switch some additional ports will be needed from both switches. That's why I want to do port mirroring from MHO. How can I achieve it? If yes, how? Please suggest.

Thanks

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-02-26 09:39 PM
In response to maxtaan

Would suggest consulting with your local SE regarding the suitability of Mirror and Decrypt

CCSM R77/R80/ELITE
0 Kudos
delToro1
Contributor
‎2025-02-27 06:08 AM

Hello, in one customer I have this configuration. They have to fordward all the traffic to a specific server in L2. I use one UPLINK port, create one new layer in the top of the policy only for mirror purposes. Using rules, you can decide which traffic send to monitor port, you can check that on the picture.

This is the documentation:

Gateway configuration:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

SmartConsole configuration: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

 

mirror.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events
    li.common.scroll-to.top