Basic Checkpoint Firewall Configurations

I have to certify new checkpoint boxes being installed.  I am more used to the Cisco / Juniper configurations.  I am using DISA as my baseline.  We have SPLAT (secure platform) and then the firewalls themselves.  I have the SPLAT configurations (which look reasonable from a DISA standpoint), but I do not have the firewall configurations.  All I have are the firewall rules from checkpoint.  For the configuration, I want to know (for example) the following;

1. Are DOS rules configured?
2. Is the firewall patched to the latest stable OS?
3. Does it have AAA installed?
4. Does SSH have incomplete connections shutting down after 15 minutes.
4. SNMP settings.
5. The accounts on the firewalls themselves.
6. When logging into the firewall, can alerts be set up?

etc.  All thoughts and opinions are appreciated.  I don't fully understand the Checkpoint architecture.
awakeningsAsked:
Who is Participating?
 
deimarkCommented:
Answers below:

1. Are DOS rules configured?

Depends which version you are using for which methodology is used.

R65 has smartdefence (licensed) which can be used to protect the firewall from most DOS attacks.  Its the not the best, which is why CP went for a proper IPS solution in R70 with full network exceptions etc.

Either should do the basics, with the more features available in R70.  Both are licensable and use subscriptions to download signatures and updates etc.


2. Is the firewall patched to the latest stable OS?

Probably not.

The latest release of CP is R71, R70.30 and R65 HFA 70

You can get this from running "fw ver" on the CLI

If you have valid support, you should have access to the upgrade software.  Note, if you are upgrading from R65 to R7x, you WILL need to regenerate your licenses BEFORE doing the upgrade, as the old licenses are not compatible with the new software blade architecture


3. Does it have AAA installed?

Can you elaborate?  Do you mean can it do local auth?  Then yes. but it does not have full AAA features on its own.  It can be pointed at LDAP and RADIUS etc if required.

4. Does SSH have incomplete connections shutting down after 15 minutes.

Not sure what you mean here, can you elaborate?

4. SNMP settings.

Has 2 components of SNMP, namely CP based SNMP using the CP MIB, for services, etc and also standard device elvel SNMP.  Can be enabled throuhg using cpconfig on the CLI

5. The accounts on the firewalls themselves.

Each SPLAT installation is built with a single account, admin.  This account has access to the expert mode (similar to linux root)  If you dont have this password, then there are KB articles for recovering them

6. When logging into the firewall, can alerts be set up?

Yes
0
 
awakeningsAuthor Commented:
These are good answers!  In regards to #6, can you provide more information about how alerts can be set up for the FW administrator?

#4 is for embryonic connections... For example, if one makes the connection, but doesn't do anything with the connection (for example, log on).
0
 
deimarkCommented:
What version of Check Point do you have installed and I will dig out the admin guide that shows this (plus lots more)

As for 4, are you looking to apply this for ssh connections "to" the firewall or "through" the firewall?

AFAIK, half open connections (of all protocols) are dealt with within smartdefence, IPS as well with teh normal session timeout table coming into affect
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
awakeningsAuthor Commented:
deimark,

    R71

    SSH to the firewall, not through.

    Smart defense...  That is a good compensating control.
0
 
deimarkCommented:
I have attached the security management doc for R71.

As you have R71, smartdefence is not available, but you do have the IPS blade that you cna use, which in my opinion, is much better for levels of control you have as well as features.

If you have a valid support contract, then you can also register with the CP site and go download the myriad of docs that there are available for R71.  CP are one of the few vendors that do seem to provide very useful and accurate docs so I would recommend them to anyone.

HTH
CP-R71-SecurityManagement-AdminG.pdf
0
 
awakeningsAuthor Commented:
Sorry...  Things came up and I forgot to award points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.