Solved

Basic Checkpoint Firewall Configurations

Posted on 2010-09-17
6
1,710 Views
Last Modified: 2013-11-16
I have to certify new checkpoint boxes being installed.  I am more used to the Cisco / Juniper configurations.  I am using DISA as my baseline.  We have SPLAT (secure platform) and then the firewalls themselves.  I have the SPLAT configurations (which look reasonable from a DISA standpoint), but I do not have the firewall configurations.  All I have are the firewall rules from checkpoint.  For the configuration, I want to know (for example) the following;

1. Are DOS rules configured?
2. Is the firewall patched to the latest stable OS?
3. Does it have AAA installed?
4. Does SSH have incomplete connections shutting down after 15 minutes.
4. SNMP settings.
5. The accounts on the firewalls themselves.
6. When logging into the firewall, can alerts be set up?

etc.  All thoughts and opinions are appreciated.  I don't fully understand the Checkpoint architecture.
0
Comment
Question by:awakenings
  • 3
  • 3
6 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 33701741
Answers below:

1. Are DOS rules configured?

Depends which version you are using for which methodology is used.

R65 has smartdefence (licensed) which can be used to protect the firewall from most DOS attacks.  Its the not the best, which is why CP went for a proper IPS solution in R70 with full network exceptions etc.

Either should do the basics, with the more features available in R70.  Both are licensable and use subscriptions to download signatures and updates etc.


2. Is the firewall patched to the latest stable OS?

Probably not.

The latest release of CP is R71, R70.30 and R65 HFA 70

You can get this from running "fw ver" on the CLI

If you have valid support, you should have access to the upgrade software.  Note, if you are upgrading from R65 to R7x, you WILL need to regenerate your licenses BEFORE doing the upgrade, as the old licenses are not compatible with the new software blade architecture


3. Does it have AAA installed?

Can you elaborate?  Do you mean can it do local auth?  Then yes. but it does not have full AAA features on its own.  It can be pointed at LDAP and RADIUS etc if required.

4. Does SSH have incomplete connections shutting down after 15 minutes.

Not sure what you mean here, can you elaborate?

4. SNMP settings.

Has 2 components of SNMP, namely CP based SNMP using the CP MIB, for services, etc and also standard device elvel SNMP.  Can be enabled throuhg using cpconfig on the CLI

5. The accounts on the firewalls themselves.

Each SPLAT installation is built with a single account, admin.  This account has access to the expert mode (similar to linux root)  If you dont have this password, then there are KB articles for recovering them

6. When logging into the firewall, can alerts be set up?

Yes
0
 

Author Comment

by:awakenings
ID: 33701880
These are good answers!  In regards to #6, can you provide more information about how alerts can be set up for the FW administrator?

#4 is for embryonic connections... For example, if one makes the connection, but doesn't do anything with the connection (for example, log on).
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 33702503
What version of Check Point do you have installed and I will dig out the admin guide that shows this (plus lots more)

As for 4, are you looking to apply this for ssh connections "to" the firewall or "through" the firewall?

AFAIK, half open connections (of all protocols) are dealt with within smartdefence, IPS as well with teh normal session timeout table coming into affect
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:awakenings
ID: 33702652
deimark,

    R71

    SSH to the firewall, not through.

    Smart defense...  That is a good compensating control.
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 33702740
I have attached the security management doc for R71.

As you have R71, smartdefence is not available, but you do have the IPS blade that you cna use, which in my opinion, is much better for levels of control you have as well as features.

If you have a valid support contract, then you can also register with the CP site and go download the myriad of docs that there are available for R71.  CP are one of the few vendors that do seem to provide very useful and accurate docs so I would recommend them to anyone.

HTH
CP-R71-SecurityManagement-AdminG.pdf
0
 

Author Comment

by:awakenings
ID: 33716370
Sorry...  Things came up and I forgot to award points!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Changes to my firewall 9 56
PFsense box as firewall 5 60
pfSense and Sophos Mobile Control Security 4 89
suspending the anti virus 6 104
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now