Solved

Basic Checkpoint Firewall Configurations

Posted on 2010-09-17
6
1,715 Views
Last Modified: 2013-11-16
I have to certify new checkpoint boxes being installed.  I am more used to the Cisco / Juniper configurations.  I am using DISA as my baseline.  We have SPLAT (secure platform) and then the firewalls themselves.  I have the SPLAT configurations (which look reasonable from a DISA standpoint), but I do not have the firewall configurations.  All I have are the firewall rules from checkpoint.  For the configuration, I want to know (for example) the following;

1. Are DOS rules configured?
2. Is the firewall patched to the latest stable OS?
3. Does it have AAA installed?
4. Does SSH have incomplete connections shutting down after 15 minutes.
4. SNMP settings.
5. The accounts on the firewalls themselves.
6. When logging into the firewall, can alerts be set up?

etc.  All thoughts and opinions are appreciated.  I don't fully understand the Checkpoint architecture.
0
Comment
Question by:awakenings
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 33701741
Answers below:

1. Are DOS rules configured?

Depends which version you are using for which methodology is used.

R65 has smartdefence (licensed) which can be used to protect the firewall from most DOS attacks.  Its the not the best, which is why CP went for a proper IPS solution in R70 with full network exceptions etc.

Either should do the basics, with the more features available in R70.  Both are licensable and use subscriptions to download signatures and updates etc.


2. Is the firewall patched to the latest stable OS?

Probably not.

The latest release of CP is R71, R70.30 and R65 HFA 70

You can get this from running "fw ver" on the CLI

If you have valid support, you should have access to the upgrade software.  Note, if you are upgrading from R65 to R7x, you WILL need to regenerate your licenses BEFORE doing the upgrade, as the old licenses are not compatible with the new software blade architecture


3. Does it have AAA installed?

Can you elaborate?  Do you mean can it do local auth?  Then yes. but it does not have full AAA features on its own.  It can be pointed at LDAP and RADIUS etc if required.

4. Does SSH have incomplete connections shutting down after 15 minutes.

Not sure what you mean here, can you elaborate?

4. SNMP settings.

Has 2 components of SNMP, namely CP based SNMP using the CP MIB, for services, etc and also standard device elvel SNMP.  Can be enabled throuhg using cpconfig on the CLI

5. The accounts on the firewalls themselves.

Each SPLAT installation is built with a single account, admin.  This account has access to the expert mode (similar to linux root)  If you dont have this password, then there are KB articles for recovering them

6. When logging into the firewall, can alerts be set up?

Yes
0
 

Author Comment

by:awakenings
ID: 33701880
These are good answers!  In regards to #6, can you provide more information about how alerts can be set up for the FW administrator?

#4 is for embryonic connections... For example, if one makes the connection, but doesn't do anything with the connection (for example, log on).
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 33702503
What version of Check Point do you have installed and I will dig out the admin guide that shows this (plus lots more)

As for 4, are you looking to apply this for ssh connections "to" the firewall or "through" the firewall?

AFAIK, half open connections (of all protocols) are dealt with within smartdefence, IPS as well with teh normal session timeout table coming into affect
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 

Author Comment

by:awakenings
ID: 33702652
deimark,

    R71

    SSH to the firewall, not through.

    Smart defense...  That is a good compensating control.
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 33702740
I have attached the security management doc for R71.

As you have R71, smartdefence is not available, but you do have the IPS blade that you cna use, which in my opinion, is much better for levels of control you have as well as features.

If you have a valid support contract, then you can also register with the CP site and go download the myriad of docs that there are available for R71.  CP are one of the few vendors that do seem to provide very useful and accurate docs so I would recommend them to anyone.

HTH
CP-R71-SecurityManagement-AdminG.pdf
0
 

Author Comment

by:awakenings
ID: 33716370
Sorry...  Things came up and I forgot to award points!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CLOUD SECURITY 3 78
Land attack dropped sonicwall 4 1,060
What ports to open for KMS on an L7 Application based firewall? 1 109
VPN tunnel between Watchguard and OpenVPN? 1 209
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question