Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Basic Checkpoint Firewall Configurations

Posted on 2010-09-17
6
Medium Priority
?
1,723 Views
Last Modified: 2013-11-16
I have to certify new checkpoint boxes being installed.  I am more used to the Cisco / Juniper configurations.  I am using DISA as my baseline.  We have SPLAT (secure platform) and then the firewalls themselves.  I have the SPLAT configurations (which look reasonable from a DISA standpoint), but I do not have the firewall configurations.  All I have are the firewall rules from checkpoint.  For the configuration, I want to know (for example) the following;

1. Are DOS rules configured?
2. Is the firewall patched to the latest stable OS?
3. Does it have AAA installed?
4. Does SSH have incomplete connections shutting down after 15 minutes.
4. SNMP settings.
5. The accounts on the firewalls themselves.
6. When logging into the firewall, can alerts be set up?

etc.  All thoughts and opinions are appreciated.  I don't fully understand the Checkpoint architecture.
0
Comment
Question by:awakenings
  • 3
  • 3
6 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 2000 total points
ID: 33701741
Answers below:

1. Are DOS rules configured?

Depends which version you are using for which methodology is used.

R65 has smartdefence (licensed) which can be used to protect the firewall from most DOS attacks.  Its the not the best, which is why CP went for a proper IPS solution in R70 with full network exceptions etc.

Either should do the basics, with the more features available in R70.  Both are licensable and use subscriptions to download signatures and updates etc.


2. Is the firewall patched to the latest stable OS?

Probably not.

The latest release of CP is R71, R70.30 and R65 HFA 70

You can get this from running "fw ver" on the CLI

If you have valid support, you should have access to the upgrade software.  Note, if you are upgrading from R65 to R7x, you WILL need to regenerate your licenses BEFORE doing the upgrade, as the old licenses are not compatible with the new software blade architecture


3. Does it have AAA installed?

Can you elaborate?  Do you mean can it do local auth?  Then yes. but it does not have full AAA features on its own.  It can be pointed at LDAP and RADIUS etc if required.

4. Does SSH have incomplete connections shutting down after 15 minutes.

Not sure what you mean here, can you elaborate?

4. SNMP settings.

Has 2 components of SNMP, namely CP based SNMP using the CP MIB, for services, etc and also standard device elvel SNMP.  Can be enabled throuhg using cpconfig on the CLI

5. The accounts on the firewalls themselves.

Each SPLAT installation is built with a single account, admin.  This account has access to the expert mode (similar to linux root)  If you dont have this password, then there are KB articles for recovering them

6. When logging into the firewall, can alerts be set up?

Yes
0
 

Author Comment

by:awakenings
ID: 33701880
These are good answers!  In regards to #6, can you provide more information about how alerts can be set up for the FW administrator?

#4 is for embryonic connections... For example, if one makes the connection, but doesn't do anything with the connection (for example, log on).
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 2000 total points
ID: 33702503
What version of Check Point do you have installed and I will dig out the admin guide that shows this (plus lots more)

As for 4, are you looking to apply this for ssh connections "to" the firewall or "through" the firewall?

AFAIK, half open connections (of all protocols) are dealt with within smartdefence, IPS as well with teh normal session timeout table coming into affect
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:awakenings
ID: 33702652
deimark,

    R71

    SSH to the firewall, not through.

    Smart defense...  That is a good compensating control.
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 2000 total points
ID: 33702740
I have attached the security management doc for R71.

As you have R71, smartdefence is not available, but you do have the IPS blade that you cna use, which in my opinion, is much better for levels of control you have as well as features.

If you have a valid support contract, then you can also register with the CP site and go download the myriad of docs that there are available for R71.  CP are one of the few vendors that do seem to provide very useful and accurate docs so I would recommend them to anyone.

HTH
CP-R71-SecurityManagement-AdminG.pdf
0
 

Author Comment

by:awakenings
ID: 33716370
Sorry...  Things came up and I forgot to award points!
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question