In Mirror mode, there is no need to change a user's network environment at all, and it can avoid the risk of interrupting the user's network by the device while providing protection. It is used to connect the device to the mirror port of the switch or to the HUB to ensure that data from external users accessing the server passes through the switch or HUB. When setting the mirror port, it is necessary to mirror the upstream and downstream data simultaneously to protect the server.

Deployment Case of Mirror Mode

A user's network topology is shown below. The Athena NGFW device is deployed in the mirror mode with the LAN connected to a layer 3 switch. The user's network segment is 192.168.3.0/24, and the server network segment is 192.168.2.0/24. The customer wants Athena NGFW to perform intrusion prevention and Web app protection on the server to prevent the leakage of sensitive data.

Step 1.Log in to the device through the default IP address of the management interface (ETH0). The default IP address of the management interface is 10.251.251.251/24. You need to configure an IP address in the same network segment on the computer and log in to the device via https://10.251.251.251.

Step 2.On the System > General Settings > Network page, check the Send a TCP reset message in mirror mode to deny a request checkbox and send a TCP reset message through the management interface for control in the mirror mode.

Step 3.Configure a management interface. In a mirror mode deployment, the device blocks connections through the management interface.

On the Network > Interfaces > Physical Interfaces page, select eth0 as the management interface. Do not modify the default IP address of eth0 10.251.251.251/24. Add an IP address belonging to the same network segment as that of the LAN switch as the management IP address. See the figure below:

Step 4.Configure the mirror interface. On the Network > Interfaces > Physical Interfaces page, select eth1 as the mirror interface. Click eth1, then select Mirror for Type and the custom LAN as Zone, check the Enable option for Traffic Statistics, and select the custom server network segment in Network Objects, as shown below.

Step 5.Configure a route: You need to configure a default route to 0.0.0.0/0.0.0.0, pointing to the LAN switch 192.168.1.1. Then, go to Network > Routes > Static Routes and click Add to add a static route. Specifically, configure the default routing Dst IP/Netmask as 0.0.0.0/0 and the Next-Hop IP as 192.168.1.1. See the figure below.

Step 6.Configure protection rules: By taking the configuration of a service protection policy as an example, the following content is about setting a service protection policy in the mirror mode. On the Policies > Network Security > Policies page, click Add > Policy for Server Scenario, and add a new service protection policy.

In the Mirror mode, select the object to be protected and defended in the zones under both Source and Destination. Select the server segment to be covered in Network Object under Destination, as shown below.

Step 7.After completing the basic configuration, connect the device to the network, the eth1 interface to the mirror interface of the layer 3 switch, and the eth0 interface to the interface within the scope of VLAN1 of the layer 3 LAN switch.

Mirror deployment only supports these functions: APT (Botnet), PVS (real-time vulnerability analysis), WAF (Web app protection), vulnerability attack protection, DLP (data leakage prevention), and website tamper-proofing functions (client protection). When blocking is unnecessary, do not check the Send a TCP reset message in mirror mode to deny a request function.