Hi All,
Recently I have setup a gateway as Monitor Mode and to capture all the traffics within the network.
I have configured the gateway according these guideline:
The gateway has configured a Monitor port and is connected to a switch port configured as SPAN port to mirror all the traffics.
After monitored for 1 day, we can see the firewall logs are working fine, we able to see all the network traffics.
But when I try to search for logs related to IPS, Anti-Bot and Anti-Virus (Monitor mode so the threat prevention is set as all "Detect")
Is this a normal behavior? Because this seems like a little less for IPS logs for me. For what i expect is to see more of the threat prevention related logs.
Is there any settings that I've missed out on the gateway?
Appreciate for all the help
Thank you
Starting with the basics what "track" option is set for the policy rules currently, detailed / extended log or other?
Click on the arrow in the track cell and select more to see additional options e.g.
Typically in monitor mode we won't have things like HTTPS inspection which will also limit visibility into traffic.
With that said what Threat Prevention Profile is currently used?
Hi @Chris_Atkinson ,
The "track" option for policy rules are set to "Log".
I might found out the cause of it.
The profile "Optimized" is being used. By following the admin guide to set up the gateway in monitor mode, the "Activation Mode" will be needed to change from "Prevent" to "Detect". When changing the default "Optimized" profile, SmartConsole will prompt automatically asking you to create another cloned profile of the default "Optimized" profile since the default profile cannot be modify.
After modified profile had been cloned out, I did not notice that the "Protection" of the IPS Protection are mostly Inactive. After enabled most of the "Protection" of the IPS Protection of the profile then I am able to see some of IPS logs again.
Appreciate for the help
Thank you
| User | Count |
|---|---|
| 17 | |
| 9 | |
| 8 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Thu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live BeLux: How to stay compliant with NIS-2 and DORA with Compliance Management SolutionThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Vienna - Identity Awareness Best Practices and Harmony Sase UpdatesTue 08 Oct 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (APAC)Tue 08 Oct 2024 @ 10:00 AM (CEST)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (EMEA)Tue 08 Oct 2024 @ 11:00 AM (EDT)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (Americas)Thu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live BeLux: How to stay compliant with NIS-2 and DORA with Compliance Management SolutionTue 08 Oct 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (APAC)Tue 08 Oct 2024 @ 10:00 AM (CEST)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (EMEA)Tue 08 Oct 2024 @ 11:00 AM (EDT)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (Americas)Wed 09 Oct 2024 @ 05:00 PM (CEST)
TechTalk: The New Quantum DDoS Protector Integration with PlayBlocksThu 10 Oct 2024 @ 10:00 AM (CEST)
Beyond Endpoint: The future of Security with EPP, EDR & XDR - EMEAThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Vienna - Identity Awareness Best Practices and Harmony Sase Updates
