topic Re: STIG's Forum in Firewall and Security Management

STIG's Forum

Mike314 — Tue, 01 Oct 2024 21:29:28 GMT

Any chance we can get a forum to discuss STIG concerns?

From time-to-time we get a STIG that is not documented in the released documentation for given hardware/software.

The current example I am looking for is...

------------------------------------------------------------------------------------------------------------------------------------

"Check Text: Verify the firewall stops forwarding traffic or maintains the configured security policies upon the failure of the following: system initialization, shutdown, or system abort.

If the firewall does not stop forwarding traffic or maintain the configured security policies upon the failure of system initialization, shutdown, or system abort, this is a finding.

Fix Text: Configure the firewall to stop forwarding traffic or maintain the configured security policies upon the failure of the following actions: system initialization, shutdown, or system abort."

------------------------------------------------------------------------------------------------------------------------------------

I have not been able to find any information about the traffic flow during a reboot, or system failure for the system I am using.

What is the best location to find answers on these types of topics? In the past, if I can not find documentation on a particular subject required for a STIG, I end up opening a ticket. It seems like that is a lot of overhead for something a lot of people need to do.

Re: STIG's Forum

PhoneBoy — Wed, 02 Oct 2024 02:51:25 GMT

You can ask here and we'll do our best to answer.

By default, the system will not forward traffic when powered on and won't until the software is up where IP forwarding is enabled and the last installed security policy is activated.
The management is checked first to see if this policy has changed.
If the policy is the same or the management is not available for some reason, the gateway will attempt to load the last installed security policy from the local cache.
If all else fails, a DefaultFilter is loaded, which blocks all but management traffic and disables IP forwarding.

Should the software in the gateway fail, it "fails closed" (won't forward any traffic).

Some of this is in the formal documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/Boot-Security.htm

Re: STIG's Forum

Mike314 — Wed, 02 Oct 2024 14:48:05 GMT

Thank you PhoneBoy!!!

Any chance the "Fail-Closed" is documented in a released publicly available document. I will need to point to the document that shows this for my STIG.

...and thank you the link to this forum. I will be looking checking it out all day.

Re: STIG's Forum

PhoneBoy — Wed, 02 Oct 2024 15:03:34 GMT

Not sure we directly address the "fail closed" issue.
However, if we failed open, we would not offer (as an option) fail open NICs, which are described here: https://support.checkpoint.com/results/sk/sk87621