Solved

Basic Checkpoint Firewall Configurations

Posted on 2010-09-17
6
1,712 Views
Last Modified: 2013-11-16
I have to certify new checkpoint boxes being installed.  I am more used to the Cisco / Juniper configurations.  I am using DISA as my baseline.  We have SPLAT (secure platform) and then the firewalls themselves.  I have the SPLAT configurations (which look reasonable from a DISA standpoint), but I do not have the firewall configurations.  All I have are the firewall rules from checkpoint.  For the configuration, I want to know (for example) the following;

1. Are DOS rules configured?
2. Is the firewall patched to the latest stable OS?
3. Does it have AAA installed?
4. Does SSH have incomplete connections shutting down after 15 minutes.
4. SNMP settings.
5. The accounts on the firewalls themselves.
6. When logging into the firewall, can alerts be set up?

etc.  All thoughts and opinions are appreciated.  I don't fully understand the Checkpoint architecture.
0
Comment
Question by:awakenings
  • 3
  • 3
6 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 33701741
Answers below:

1. Are DOS rules configured?

Depends which version you are using for which methodology is used.

R65 has smartdefence (licensed) which can be used to protect the firewall from most DOS attacks.  Its the not the best, which is why CP went for a proper IPS solution in R70 with full network exceptions etc.

Either should do the basics, with the more features available in R70.  Both are licensable and use subscriptions to download signatures and updates etc.


2. Is the firewall patched to the latest stable OS?

Probably not.

The latest release of CP is R71, R70.30 and R65 HFA 70

You can get this from running "fw ver" on the CLI

If you have valid support, you should have access to the upgrade software.  Note, if you are upgrading from R65 to R7x, you WILL need to regenerate your licenses BEFORE doing the upgrade, as the old licenses are not compatible with the new software blade architecture


3. Does it have AAA installed?

Can you elaborate?  Do you mean can it do local auth?  Then yes. but it does not have full AAA features on its own.  It can be pointed at LDAP and RADIUS etc if required.

4. Does SSH have incomplete connections shutting down after 15 minutes.

Not sure what you mean here, can you elaborate?

4. SNMP settings.

Has 2 components of SNMP, namely CP based SNMP using the CP MIB, for services, etc and also standard device elvel SNMP.  Can be enabled throuhg using cpconfig on the CLI

5. The accounts on the firewalls themselves.

Each SPLAT installation is built with a single account, admin.  This account has access to the expert mode (similar to linux root)  If you dont have this password, then there are KB articles for recovering them

6. When logging into the firewall, can alerts be set up?

Yes
0
 

Author Comment

by:awakenings
ID: 33701880
These are good answers!  In regards to #6, can you provide more information about how alerts can be set up for the FW administrator?

#4 is for embryonic connections... For example, if one makes the connection, but doesn't do anything with the connection (for example, log on).
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 33702503
What version of Check Point do you have installed and I will dig out the admin guide that shows this (plus lots more)

As for 4, are you looking to apply this for ssh connections "to" the firewall or "through" the firewall?

AFAIK, half open connections (of all protocols) are dealt with within smartdefence, IPS as well with teh normal session timeout table coming into affect
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:awakenings
ID: 33702652
deimark,

    R71

    SSH to the firewall, not through.

    Smart defense...  That is a good compensating control.
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 33702740
I have attached the security management doc for R71.

As you have R71, smartdefence is not available, but you do have the IPS blade that you cna use, which in my opinion, is much better for levels of control you have as well as features.

If you have a valid support contract, then you can also register with the CP site and go download the myriad of docs that there are available for R71.  CP are one of the few vendors that do seem to provide very useful and accurate docs so I would recommend them to anyone.

HTH
CP-R71-SecurityManagement-AdminG.pdf
0
 

Author Comment

by:awakenings
ID: 33716370
Sorry...  Things came up and I forgot to award points!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Split tunnel and locally reroute the traffic 3 34
Class Map is not matching traffic on Global Policy??? 2 49
Sonicwall Traffic 17 83
Sonicwall SOHO Firewall port access 5 81
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now