Configuring Mirror Mode

Mirror Mode monitors newly connected sessions through Mirroring port and blocks connection by transmitting TCP RST or ICMP Destination Unreachable packet.

Mirror mode requires at least two NICs. One NIC assigns an IP to manage the sensor and the other as an unnumbered NIC for Packet Monitoring.

For more information. See Policy Enforcement Methods

Global Mirror

The Global Mirror sensor monitors all Nodes.

Go to System in the top panel
Go to System > Sensors in the left System Management panel
Select the desired sensor’s IP Address for Mirror
Click Sensor tab
Click the interface desired to use in mirror mode. eth1 There is no IP assigned to this interface
Select Mirror in Sensor Mode
Select Global in Mirror Operating Scope
For Sensor Operating Mode, change to Enforcement
Click Update

Note

If you use Global Mirror only, the agent must be installed on the endpoint because it is not registered as a node.

Local Mirror

You can use it with Host mode sensor to gather more information. Available in the same equipment as Host mode sensor.

Go to System in the top panel
Go to System > Sensors in the left System Management panel
Select the desired sensor’s IP Address for Mirror
Click Sensor tab
Click the interface desired to use in mirror mode. eth1 There is no IP assigned to this interface
Select Mirror in Sensor Mode
Select Local in Mirror Operating Scope
For Sensor Operating Mode, change to Enforcement
Click Update

Note

Local Mirror can additionally use Traffic Monitoring.

Find Traffic Monitoring section
Collection Interval 0 is disable, minimum 10 seconds, maximum 1 day
Time for Average minimum 10 seconds, maximum 1 day, Initial value is 5 minutes
Minimum Update Value KB/s unit, the minimum value to update the traffic information, Initial value is 30 KB/s
Update Fluctuation % unit, the minimum fluctuation percentage rate, Initial value is 30 %
Destination based Status Collection Select On or Off, collect the traffic information based on the destination