topic Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0 in Scripts

Script to run the CIS Check Point Firewall Benchmark v1.1.0

Danny — Tue, 24 Mar 2026 13:38:12 GMT

169

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

the_rock — Fri, 31 Oct 2025 11:46:05 GMT

Wow Danny, thats AMAZING!

Just ran it in my lab.

[Expert@CP-GW:0]# /var/log/cis/CIS_Benchmark_Gaia_v1.1.0.sh

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

the_rock — Fri, 31 Oct 2025 23:07:36 GMT

Also sent this to few customers Danny, they all LOVED it!

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

genisis__ — Sun, 02 Nov 2025 15:34:17 GMT

Awesome Danny! I ran it on VSX R82, but there where a bunch of interfaces it could not see as I suspect the script may not go into each vs and run per VS.

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

Danny — Sun, 02 Nov 2025 16:03:57 GMT

@genisis__ : Thanks for testing on VSX. As I kept the script code highly readable and adjustable, it should be easy for you to add VSX support and share your result with us. What do you think?

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

genisis__ — Mon, 03 Nov 2025 10:08:12 GMT

I've never actually tried it Danny.. not really a coder, but I can try to take a look.

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

Daniel_ — Tue, 04 Nov 2025 06:50:03 GMT

Great Script! Thanks!

Is there a bug in 2.3.1 with NTP? I have in /config/active several lines for each NTP Server

# grep -w "^ntp:server:.*$t$$" /config/active ntp:server:192.0.2.2 t ntp:server:192.0.2.2:iburst t ntp:server:192.0.2.1 t ntp:server:192.0.2.1:iburst t ntp:server:192.0.2.1:prefer t

This counts the line to 5 and fails.

Version R81.20 take118

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

Daniel_ — Tue, 04 Nov 2025 08:00:25 GMT

2.5.4 fails if only radius is configured. The script checks for "aaa:auth_order" but it's "aaa:auth_profile"

# grep aaa:auth_profile /config/active aaa:auth_profile:base_radius_authprofile:radius_srv:1 t aaa:auth_profile:base_radius_authprofile:radius_srv:1:host 192.0.2.1 aaa:auth_profile:base_radius_authprofile:radius_srv:1:port 1812 aaa:auth_profile:base_radius_authprofile:radius_srv:1:secret topsecret aaa:auth_profile:base_radius_authprofile:radius_srv:1:timeout 3 aaa:auth_profile:base_radius_authprofile:radius_srv:2 t aaa:auth_profile:base_radius_authprofile:radius_srv:2:host 192.0.2.2 aaa:auth_profile:base_radius_authprofile:radius_srv:2:port 1812 aaa:auth_profile:base_radius_authprofile:radius_srv:2:secret topsecret aaa:auth_profile:base_radius_authprofile:radius_srv:2:timeout 3

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

Danny — Tue, 04 Nov 2025 08:14:02 GMT

Thanks for testing. Please suggest a code fix.

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

Hugo_vd_Kooij — Tue, 04 Nov 2025 10:19:03 GMT

There are a few things that need to be fxed in the CIS benchmark.

I have proposed 1 change allready. But there are some more notes that I have to work on. As a few more thins are not correct in my view.

For example CIS benchmark 2.5.3. makes no sense on machines that are not a gateway.

Re: Script to run the CIS Check Point Firewall Benchmark v1.1.0

Danny — Fri, 07 Nov 2025 06:25:54 GMT

Yeah, I've seen your proposal here.