Scribd
Upload
50 views

SecurityCheckup R80.10 AdminGuide

Uploaded by

tavorodriguez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
50 views

SecurityCheckup R80.10 AdminGuide

Uploaded by

tavorodriguez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

R80.

10 Security Checkup Threat


Analysis Report - Admin Guide

<<Solution Center>>
<<April 8, 2018>>

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 1


Contents

1. Introduction ................................................................................................................. 3

2. Benefits ....................................................................................................................... 3

3. Notes........................................................................................................................... 4

4. Preparations ................................................................................................................ 5

5. Re-imaging the appliance ............................................................................................ 7

6. First Time Wizard - Web GUI Setup ............................................................................ 8

7. Configuration Mode ................................................................................................... 11

8. Activate Software Blades........................................................................................... 16

10. Generating Security Checkup reports ........................................................................ 26

11. Security Checkup Report Review .............................................................................. 28

12. Offline Mode .............................................................................................................. 29

13. Using Security Checkup in the Cloud ........................................................................ 30

14. Appendices ............................................................................................................... 31

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


1. Introduction
A Check Point Security Checkup report is a comprehensive security analysis report based on
data within your organisation. It automatically integrates security events from different Software
Blades: Application Control, URL Filtering, IPS, Anti-Virus, Anti-Bot, DLP and Threat Emulation.

The Security Checkup Report accentuates Check Point Added Value, exposing security risks
and suggesting remediation. When a Check Point Security Gateway runs in a PoC environment,
inline or Mirror Port, we gain an insight into the activity on the network and will generate logs
and security events for the activated Software Blades. The report gives a comprehensive
security analysis that summarizes security events, their risks, and their remediation actions.
Therefore, the information offered by the Security Checkup together with the in-house security
processes and new enforcement requirements provide the first step for improving the security
architecture of any kind of organization.

Further information can be found here.

2. Benefits
 Shows the value of Check Point’s security strategy and the benefits provided by the
Software Defined Protection Architecture.
 Visualizes incidents that happen in customer networks, and gives practical
recommendations.
 Empowers you with knowledge of new security risks, and improves network security.
 Gives an executive summary for discussion with management.
 Gives detailed results for in-depth discussions with technical points of contact
 Out-of-the-box reports speed information delivery and accelerate the sales processes.
 Supports customization for specialized reports focused on customer challenges.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 3


3. Notes
 Monitor mode does not allow us to change the traffic (we receive only duplication of the
packets); therefor everything that is actively change traffic won’t work, as:
o Https inspection
o Proxy

Monitor mode does support the following:


o Stateless inspection
o Passive inspection
o Show our system for POC without risking the traffic

Learn more via sk101670

 Monitoring traffic when working with VLANs:


SPAN (local or remote) allows you to monitor traffic on one or more ports, or one or more
VLANs, and send the monitored traffic to one or more destination ports. You can create a
SPAN session as Receive (Rx), Transmit (Tx) or Both. Make sure you do “Both”.
SPAN does not interfere with the normal operation of the switch. However, an
oversubscribed SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port,
can result in dropped or lost packets. The default configuration on Cisco for local SPAN
session ports is to send all packets untagged. We can’t read tagged packets, so make sure
the router/switch removes tags (if not Cisco).
We don’t support the use of a trunk interface used as a source port for the SPAN port.
 If you are using NAT Devices, Proxies (without x-forward-for header), Terminal Server, DNS
Server, AD Controller etc. You will only see this device in the logs and not the Users/Servers
behind.
 If you want to use Threat Emulation, it is highly recommended to use the cloud emulation
since it offers the most-updated detection capabilities and the highest amount of processing
resources; nevertheless a local emulation is available via our Sandblast Appliances.
 If you have customer expecting many logs, it is recommended to have at least 16Gb of RAM
on the Appliance (Note: most of the time SmartEvent have to start queries over millions of
logs and the Appliance start to swap if you don`t have enough RAM. Resulting in poor end
user experience during SmartEvent queries).
 In high performance environment it is recommended to separate gateway and management
server.
 If you have a Check Point 2012 Appliance, bigger than 12200 and 16GB or more of RAM,
you can enable HyperThreading for increased performance up to 30% (sk93000). In
addition, you can install the latest jumbo hotfix accumulator to prevent some performance
issues.
 Create a snapshot on disk, after building and testing the appliance and before generating
logs. You can use this snapshot for future check-ups.
 If you don’t have Internet connection URL Filtering, Anti-bot, Cloud Threat Emulation won’t
work.
 If you are experience low performance, please review sk72640. You might also edit
$FWDIR/boot/modules/fwkern.conf (create the $FWDIR/boot/modules/fwkern.conf file if it
does not exist) and add this line:
parameter_name=value

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 4


 Add the following lines:
 fw_local_interface_anti_spoofing=0
 fw_antispoofing_enabled=0
 sim_anti_spoofing_enabled=0
 fw_icmp_redirects=1
 fw_allow_out_of_state_icmp_error=1

4. Preparations
Software Requirements

1. Download the latest Gaia ISO version - Current version is R80.10 Gaia (link).

2. Download Isomorphic and create R80.10 Gaia bootable USB from ISO - There are two ways
to install the image on the appliance. These includes:
 USB CDROM (burn ISO to a DVD).
 USB key using ISOmorphic.
o How to install Gaia from a USB device on Check Point appliance and Open
Servers using ISOmorphic Tool (sk65205).
o Updated ISOmorphic (from sk65205).

Hardware Requirements

1. Console cable.
2. Serial to USB adaptor.
3. Network Cables.
4. Blank USB Flash disk or USB CDROM DVD for reimaging.
5. PC with at least Windows 7, 32 bit to install the SmartConsole.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 5


Customer Environment and Requirements

It is recommended to collect the following information from the customer and prepare the
appliance before arriving to the customer’s site.

1. Mirror Port / TAP Configuration.


2. IP Addressing:
a. IP Address / netmask for the CheckUp device to be able to reach the Internet.
b. Gateway IP Address.
c. DNS Servers.
d. Make the customer aware that if they want to see corporate identities in the report they
will have to supply the AD domain name, IP address(s) of domain controllers and
administrator level credentials when the device is deployed at their site.
3. Proxy information for internet access (if needed).

Internet Connection

An internet connection is required for updates, hotfixes and required software. In case that you
don’t have internet access:
 URL Filtering, Anti-bot and Cloud Threat Emulation won’t work.
 IPS and Anti-Virus signatures need to be updated offline.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 6


5. Re-imaging the appliance
When starting with the build process there are several methods to reimage:
1. If the appliance has been imaged previously with the appropriate version software image
installed, you can revert back to factory defaults, by accessing the boot menu.
2. If a valid snapshot exists, revert to the snapshot, by accessing the boot menu.
3. Reimage the appliance to R80.10 with ISO on bootable CDROM or USB flash drive.

Follow up the following steps:


1. Prepare the USB device either for Regular Deployment, or for Unattended Deployment
(supported only on Check Point appliances).
2. Make sure the Appliance / Open Server is turned off.
3. Connect to the Appliance / Open Server over console (configures the standard connection -
Rate 9600, Data Bits 8, Parity None, Stop bits 1, No Flow Control).
4. Connect the USB device to the Appliance.
5. Turn on the Appliance.
6. After booting successfully from the USB drive, the SYSLINUX window should appear:
Note: If the machine did not boot from the USB device, then check that BIOS settings allow
booting from USB.

7. Enter the boot option according to the connection type you are using:
 Local disc - for booting from local hard disk.
 Serial - for serial connection (2012 models, 2016 models, Smart 1 5/25/50/200/3000
models, TE models).
 Smart - 1 150- only for installing on Smart-1 150 Appliance.
 VGA - for VGA or other graphic mode connection (only for Open Servers with video
card).

Note: If no option is entered in the SYSLINUX window, then after 90 seconds the installation
will continue with the default option based on the installation type that was selected when
preparing the USB device:
 If you selected 'Regular installation' type, then the default option is localdrive, i.e., the
installation from USB device will be aborted and machine will boot from the local drive.
 If you selected 'Unattended installation' type, then the default option is serial.

8. When the installation ends successfully, there are three indications:


 The message shows on the console, you may safely reboot the appliance.
 LCD panel shows success message.
 The interfaces blink in a round-robin fashion.

9. Unplug the USB and reboot the appliance (Ctrl C from the console).
Warning: Do NOT forget to unplug the USB device from the Appliance. Otherwise, if you
have used the 'Unattended installation' type for preparing the USB device, the local drive will
be formatted without any user confirmation once the machine is rebooted.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 7


6. First Time Wizard - Web GUI Setup
1. Restart the appliance once Gaia has been installed successfully.
2. When the appliance is starting connect the Ethernet cable to the management interface.
3. Set your PC interface to 192.168.1.2 with netmask 255.255.255.0
4. Run a script that preconfigure series of settings for Checkup purposed:
a. Download the script from this link.
b. Copy the script to the machine (/home/admin directory).
c. Grant execution permission to the script (chmod +x modifyscript.sh).
d. Run the script (./modifyscript.sh).
5. Open your browser and connect to https://192.168.1.1.
6. Login with username admin, password admin.
7. The appliance will start the first time configuration wizard.

8. Select your setup option - choose Quick Standalone setup of R80.10 and continue to
perform a regular installation.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 8


9. Quick Setup (sk102231):
 Set the IP address of management,192.0.2.254/24 is recommended as many SMB
customers use the 192.168.1.0/24 subnet.
 Set (and document) the password for GUI management, command line and Web UI.
 Connect the device to a live LAN connection, and set the appropriate addresses, you
will change this IP later when you install device into the customer network.
 Set the appropriate DNS address; note that using DNS servers located overseas may
cause issues and slowness with the geolocation that is required for the update services.
 Set the Gaia proxy if required. You will also need to set the proxy in smart dashboard
for updates.
 Set monitor mode or bridge mode. Monitor mode is the normal mode.
 The date and time will be set from the PC, no requirement to use NTP. Be careful with
time settings as Daylight Saving (DST) might not be considered. It is suggested to
review the time setting after the installation.

Warning: Do not change the main IP address of the management after this point, if you
do it is likely that SmartEvent will not function correctly.

 For the Security Checkup process we recommend only to use the same password as
the system administrator. It is also recommended to make the password standard for the
Security Check-up reports to allow any administrator to complete the report if the
engineer who set up the appliance is not available.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 9


10. The Management interface will be left unplugged when the appliance is on site. The port
can be used with a local cable to adjust the setup on 192.0.2.254
11. The appliance will now go through the build and configuration process.
12. The build process will proceed.

Note that once the initial Quick Setup finished the device performs updates. It is recommended
to let these updates finish before attempting to perform any additional configuration.
To verify that all updates have finished run this command
tail –f /var/log/ftw_install.log
and wait till you see the following message:
end policy load

Important - review the configuration in chapter #8 because the script and first time wizard don’t
include all settings yet.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 10


7. Configuration Mode
 On the management PC workstation, install SmartConsole Suite for R80.10, If not already
installed.
 License (sk81200) - Generate a 30 day evaluation license via your user center account and
license the appliance with both the Gateway and the Management licenses: to do so, select
Product Evaluation from the Winning the security market menu in PartnerMAP and assign an
All-in-Evaluation to your own User Centre account:

 Once the license is in your UC account the license will need to be activated against the IP
assigned to the appliance. The example below uses 192.0.2.254, but it depends on your
assignment of the management interface.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 11


Select License and you will be emailed the licence file, save to disk and install license to the
appliance by opening SmartUpdate and add from file.

.
 Log-in to the Gaia dashboard.
 Activate the Advanced View mode in the menu on the left and scroll to the Upgrades
(CPUSE) section.
 Update the CPUSE agent if required in the main screen.
 Proceed in showing all available Hot Fixes and HFAs. Install them one by one as required,
depending on their content and their need. (Screenshot below).

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 12


 Create a user for winscp access as this will be required to pull the logs off of the
appliance at a later date, ensure the shell for this user is set to /bin/bash and that
the role is admin not monitor.
 Optional - If you’ve customized the Management IP, change your workstation address to be
the 192.0.2.x/24 and reconnect to appliance via https://192.0.2.254. This is where we will
complete the configuration of the OS and networking.
 Optional - On the left hand menu click on Network Interfaces and then select an Mgmt: 1
interface.
 Optional - Delete the Mgmt: 1 Alias 192.168.1.1 interface to avoid potential overlaps with
customer addressing.
 Check the interfaces that are to be the span port.
Important: More than one port can be enabled for Monitor/Span purposes, as long as the
traffic is not to be seen twice across the 2 interfaces. This might compromise the statistics
and the number of detections.

Enable and ensure that the SPAN interface does not have IP address.

 Select the Ethernet tab and select monitor mode. In this step it is important to check if Auto
Negotiation or fixed link speeds will be used. Remember both Security Gateways and switch
MUST have the same configuration.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 13


 Select the interface which will have Internet connectivity. Enter the IP address and Subnet
mask supplied by the customer (if you are preparing the appliance in your LAB, you should
assign an IP with Internet Access on your network so to update all the features before
reverting to the one at the customers’ site).

 Change the default route to be as supplied by the customer on the LAN interface for Internet
access for the appliance by selecting “IPv4 static routes” on the left menu and select the
default route. This will facilitate updates for the gateway and the real time Threat Prevention
data.

Tip: you can add alias addresses on this interface to save configuration time on site.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 14


Testing connectivity

To test that the internet connectivity is correct for the installation, login to expert on the console
or ssh. The following commands from the command line will confirm that most of the required
network connectivity is working:
 ping google.com
PING google.com (150.101.213.174) 56(84) bytes of data.
64 bytes from google.com (150.101.213.174): icmp_seq=1 ttl=60 time=26.0 ms
 curl_cli cws.checkpoint.com
<html><body><h1>It works!</h1></body></html>

You also might need to configure Internet access through a proxy. To configure it you must
enable proxy from the Gaia Web Interface and from the Global Properties (through the
SmartConsole) option:

Another way to configure proxy is from CLI:


set proxy IP port PORT#
save config

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 15


8. Activate Software Blades
Blades activation
Note that most settings in this section are made by the script you run before the first time
wizard. In case you performed the settings manually review the instructions below.

Install blades as shown by ticking the appropriate boxes below that have not been ticked.
Note, all blades but DLP and Identity Awareness are activated by default with the Gaia quick
setup.

*In case that there is no connection to the internet, disable URL Filtering.

Access Control

 To keep the log file small, configure the following layers and rules:
a. FW Layer (FW is enabled).
Source = Any, Destination = Any, Action = Accept, Track = None.

b. APP&URLF and Content Layer - In a new layer that Applications & URL Filtering and
Content Awareness are enabled.

1. Source = Any, Destination = Internet, Content = Upload Traffic (Any File), Action =
Accept, Track = Detailed log (Accounting).

2. Source = Any, Destination = Internet, Content = Any, Action = Accept, Track =


Detailed log (Accounting).

 Make sure that Implicit Cleanup Action is


set to accept for both layers.

 Install policy before the next step.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 16


Application Control & URL Filtering

 Go to the Manage and Settings > Blades > Application Control & URL Filtering and enable
the following options:
a. Allow all requests (fail open) in case of internal system error.
b. Categorize HTTPS sites.
c. Categorize cached pages.

Threat Prevention

In the Threat Prevention Profiles, edit the Optimized Profile and ensure you are using a detect-
only policy as follow:

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 17


In the Profile also select the Anti-Virus settings to the following values:

 Inspect incoming files from “all interfaces” or inspect incoming and outgoing files.
 For the Mail (SMTP) change the nested file types settings to “Allow”.

 “Process specific file type families” should be selected.


a. Within the “Configure…” the following types should be selected
i. Msi, pif, cmd, sw, wsc, wsf, chm, hlp, lnk, swf, bat, pdf, com, class
ii. exe (all different types)
iii. dll, reg
iv. vb, vbs, vbe
v. All Microsoft Office file types

 Enable Archive scanning (impacts performance).

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 18


Same settings apply for Threat Emulation under the Profile

 Inspect incoming files from “all interfaces” or inspect incoming and outgoing files.
 Process all file types.

For getting an excellent catch rate for a Security Checkup Report, you can enable the
Aggressive Detection mode for Check Point Anti-Virus (Sk98099).
If your customer has concerns about the Cloud Emulation, there are options to restrict the
geographical area where the emulation is conducted. Please refer to sk97877

Disable the logging for every scanned file in Large Environments.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 19


 Go to the Manage and Settings > Blades > Threat Prevention and select “Background -
requests are allowed until categorization is complete

Threat Emulation

Tick the Threat Emulation blade (if already done you can untick and re-tick to check).
Activating Threat Emulation on the cloud will verify the subscription over the Internet and
validate the blade:

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 20


Identity Awareness Blade

Identity Awareness is recommended but optional. This should be turned on at the customer site
as connectivity with the AD server is required and customer will be required to enter the domain
password.
For this step remember that the PC where you are executing the SmartConsole must have IP
connectivity to the Domain Controller. Also make sure you set the correct DNS settings with the
Domain Controller as your PC’s primary DNS server.

If Identity Awareness was enabled and you would like to present the users name in the Security
Checkup report it is possible to edit the report > open the relevant view and add the User field.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 21


Data Loss Prevention Blade

When activating the DLP blade follow the wizard including the domain of the customer you are
going to run the Security Check-up at.

You also will be requested to set names and keywords to refer to the company. If the
organisation has multiple names then enter them here.

Select only Email and Web in the Wizard (NOT FTP).

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 22


Proxy detection

If users at customer site browse the internet via proxy and the mirror port is upstream of that
proxy:
1. In SmartConsole, go to the Objects Tree and select the Services tab
2. Edit the TCP service: HTTP_and_HTTPS_proxy
3. Click Advanced
4. Enable Match for ‘Any’
5. Click OK

Additional DLP improvements

If the customer has Network storage with confidential data, it is highly recommended to enable
the fingerprint on this and the DLP catch rate will improve.

To save CPU:
 Disable “Log all sent messages”.
 Tick disable when under load.

To complete installation, install policy (Ignore the topology warning regarding missing Anti-
spoofing).
IPS

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 23


 Ensure that you update the IPS policy. A valid User Centre account will be required for this.
In case you are using a Standalone deployment make sure you do a Database Revision
Control before updating the IPS database.

 Assign recommended protection under the IPS properties of the Gateway and Perform IPS
on All traffic. To avoid the risk of a box lockup you can select to bypass IPS inspection under
heavy load.

 Make sure that all IPS signatures are set to detect:


 Eliminating some IPS False Positives:
Enabling PSL Tap Mode (This has been done in quick start).
o vi $FWDIR/boot/modules/fwkern.conf and add the following lines:
psl_tap_enable=1
fw_tap_enable=1
o Reboot the Security Gateway

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 24


Testing Installation

The following method can be used to install and test the appliance onsite.
1. Connect to Management Interface directly with laptop.
2. Connect Customer LAN port only first.
(Less load on the box to test Internet connectivity without SPAN connected).
3. Login to Expert Mode via CLI.
4. Check DNS is functioning - “nslookup google.com”.
5. Check Internet access is functioning - “curl http://google.com”.
6. Plug in cable to SPAN port.
7. Test for traffic on SPAN port at Expert Mode type command.
tcpdump –i eth1 port 80 -n

-i = Interface
eth1 = span port
port = port number

*can be also port 8080

This will ensure visibility of HTTP traffic and not just broadcasts and confirm the SPAN is
correctly configured.
8. Login to Logs&Monitor and confirm it is functioning and we are receiving events.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 25


10. Generating Security Checkup reports
Once enough logs were collected during the monitoring period, it’s time to generate the Security
Checkup reports:

1. Security Checkup - Anonymized: this report doesn’t include IP addresses or usernames.


2. Security Checkup - Advanced: this report is more detailed and include IP addresses.
3. Security Checkup - Statistics: this is the raw data of that uses for the advanced and
anonymized reports. It is recommended to generate it in excel format.
4. Mobile Security Checkup: this report uncovers mobile threats organizations are exposed
to.

To generate the Security Checkup reports follow up the steps below:

1. Log into R80.10 SmartConsole and move to Logs & Monitor > Reports.

2. Double click on one of the reports and select the relevant period of time according to the
collected logs.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 26


3. Once the report has generated save it as PDF.

4. Move to Archive and download the report from there.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 27


11. Security Checkup Report Review
The Security Checkup report presents the findings of a security assessment conducted at the
customer’s network. The executive summary in the Security Checkup report summarize threats
found during the traffic inspection.

Security Checkup – Advanced and Anonymized Reports

Mobile Security Checkup

* Download the most updated report template from sk122375

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 28


12. Offline Mode
In case that you already have the logs from the customer and you want to generate Security
Checkup report, follow up the steps below:

1. Make sure that SmartEvent is activated


2. Run evstop
3. Import log files to $FWDIR/log/
4. In case that your machine includes FW logs and you want to skip FW logs, uncheck "Log
Indexing" at the object editor > Logs

5. $INDEXERDIR/log_indexer -days_to_index [NUM_OF_DAY_TO_INDEX]


For example: $INDEXERDIR/log_indexer -days_to_index 30 (index logs from the last 30
days).
6. Run evstart
7. To indicate that all logs entered the machine:
tail -f /opt/CPrt-R80/log_indexer/log/log_indexer.elg | grep 'Files read rate \[log\]'
8. When you see that the current value is 0 for a long time (~10-20 seconds), it means that the
indexer completed the job:

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 29


13. Using Security Checkup in the Cloud
The purpose of the Security Checkup - Cloud Service is to make the
process of running a Security Checkup Report easier for partners and
SEs by generating a report in the cloud rather than on an on-site
monitoring device. The service is free of charge.

How does it work?

1. Set up a Check Point standalone gateway with relevant Security and Management Software Blades
activated. SmartEvent server is not required.
2. Plug the device into the customer network to inspect mirrored or inline traffic (recommended
monitoring duration: at least 1 week) - see sk83500 and chapters 4-8 in this document.
3. After the standard set up is done, run a script which automatically upload the logs after X days
(recommended - at least one week). To obtain the package, download the CloudService Script.
4. Reports are generated in the Cloud Service and sent back to the Partner/SE encrypted via email.
5. You can also view the incidents in the cloud management, custom the report and use it as regular
SmartEvent machine.

*Note that the Security Checkup in the Cloud is limited up to 40GB of logs in version_19.

For more information on Security Checkup in the Cloud, view sk112732 and download the Cloud Service
Package.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 30


14. Appendices
Appendix A - Checkup Checklist

WebGUI

Define a winscp user with /bin/bash as its shell.


Configure DNS servers.
Set any required proxy in webui (difficult to get working correctly with checkups).
Configure correct default route so appliance can reach the internet for TE cloud and checking
AV, AB, URLF and Application Control protections in threat cloud.

Licenses

Generate a 30 days all in one bundle eval and attach via preferred method (CLISH,
CPUSE(webui), SmartUpdate etc).
Ensure all contracts (IPS, TE etc.) are attached and showing as valid.

Gateway object

Check all blades that have been selected by customer are switched on after the quick FTW.
Ensure SmartEvent is also switched on and correlation unit is showing no errors.
Define any required proxy server from customer under Topology > Proxy.
Set any required proxy in global properties.
Ensure topology is set correctly.
With anti-spoofing turned off on the interfaces (as default, but double check).

General Configuration

Management IP address doesn't change after initial configuration and SmartEvent set up. It can
cause licensing nightmares as well as problems with logging and correlation units.
Define every single internal network expected to be seen in the traffic flow as an object under
the 'networks' folder in network objects.
Turn FW logging off - this generates surplus FW logs which we do not need in the Security
Checkup report.
Ensure subnet masks are correct for customers network.
Create a group object of all of the 'network' objects.
Ensure DNS settings are set and defined for customer network.
If configuring appliance before site installation ensure these DNS IP's are on hand during install
as an internet connection will be needed for license checks and protection updates (IPS, AV &
AB, URLF & Application Control).

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 31


Application Control & URLF

Ensure that the database update was carried out successfully on the Checkup gateway
under ’gateways’. If not push policy (or remember to push policy after completing the Checkup
checklist).
Ensure application database is up to date. If not, update it from the overview page.

DLP

Define 'My Organisation' entirely using the networks defined and also include any email / web
domain names.
Select 'specific networkand and hosts' and use objects after clicking the 'edit' button beside the
option in my organisation because the default option looks for 'networks behind internal
interfaces' doesn't work when using mirror ports with TX&RX packet flow on the same
interface.
Add any relevant DLP categories that may relate to the customer you are performing your
Checkup for.
One per line in the DLP policy and be sure to copy and paste the protection definition into the
comment field so the Checkup report knows what the protection does (if you don't, the report
will show something being leaked, but give little to no information on what the protection was
looking for).
Ensure - Web / HTTP has been enabled under DLP > additional settings > protocols.

IPS

Switch IPS policy to Optimized and then either switch on troubleshooting mode (switching all
protections to detect and still logging) or select all protect IPS protections in recommended
profile and change them to detect normally without using troubleshooting mode.
Troubleshooting mode can be found by double clicking on the enabled profile on the overview
page on IPS blade and clicking troubleshooting on the left hand list.

Threat Prevention (AV, AB, TE)

Ensure that all additional Threat Emulation file types have been enabled.
Ensure update status and subscription status on 'Gateways' page all show good results. Fix any
failed updates / checks.

Updates

Ensure IPS is updated


Ensure App control and URL F application databases are updated
Ensure AV & AB databases are updated
Push NETWORK and THREAT PREVENTION policy.

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 32


SmartEvent

Ensure internal networks are defined under SmartEvent Policy > general settings > Internal
network.
Ensure correlation unit is ok and processing logs from the right log server (should all be the
same IP address as MGMT and GW if performing a standalone Checkup)

Connection Checks

If you get a response back from each of these whilst the appliance is installed in the customer site then you
should be good to go.

Check appliance can reach the internet after installation at customer site (ping 8.8.8.8).
Check that it can access the AV AB URL & APP CTL update servers - (Sk83520)
curl -v http://cws.checkpoint.com/Malware/SystemStatus/type/short
Check that threat emulation can get to the Threat Cloud for emulating files -
curl -v http://te.checkpoint.com
Check that it can update IPS -
curl -v -k https://updates.checkpoint.com/
Download service updates -
curl -v -k https://dl3.checkpoint.com
Contract entitlement check
curl -v -k https://usercenter.checkpoint.com/usercenter/services/ProductCoverageService

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 33

You might also like