topic Re: vulnerability scanning & compliance blade in General Topics

vulnerability scanning & compliance blade

Daniel_Kavan — Thu, 24 Feb 2022 18:44:46 GMT

Our ISSO wants to do nessus scanning for vulnerabilities even though we already have the compliance blade. Is there any reason not to? Has anyone run into issues with creating a user for nessus & letting it scan the firewall? Is anyone else scanning their firewalls with Nessus?

I've requested in the past that CP adds CVE to the compliance blade. It seems like it would be an easy and very helpful addition. I know we have the web page that show the CVEs but this way we would also know which ones we've patched.

message from ISSO

Show me a report showing vulnerabilities report. However, all I’ve seen are compliance reports. Those are like CIS reports, not vulnerability reports. Very different. However, both are important.

I’m looking for something that shows the current vulnerabilities (CVE’s) on the system.

If you can produce that from the firewall not from a checkpoint list I’ll let it go. If not, I really want a verified scan of the Firewall’s OS from Nessus.

Re: vulnerability scanning & compliance blade

the_rock — Thu, 24 Feb 2022 20:30:15 GMT

Thats a good point...maybe someone can confirm, but I dont believe you would get current vulnerabilities on the system with compliance blade. I will do some lab testing and check for you.

Andy

Re: vulnerability scanning & compliance blade

K_montalvo — Thu, 24 Feb 2022 21:26:41 GMT

Compliance its not the same as the vulnerabilities scanning, he would need to do a credentialed scan of the FW with Nessus. Any vulnerabilities would then need to be remediated in order to be in compliance with a specific security framework or internal policy. In case the scan is for the network the firewall shall not be in between as false positives or IPS may block scanning and/or not proper scanning would work.

Re: vulnerability scanning & compliance blade

Chris_Atkinson — Wed, 02 Mar 2022 07:26:26 GMT

Did you work with your local SE to open an RFE for this?
(For awareness there is also some coverage here in other areas e.g. PRO support.)

As your ISSO and others have highlighted these serve different purposes.

Though some might also question the usefulness of scanning a Firewall with Nessus, it sounds like independent/external validation is what your after.

Re: vulnerability scanning & compliance blade

Daniel_Kavan — Fri, 25 Feb 2022 13:42:20 GMT

done, o91118xT0

Yeah, CVE scans are different than the compliance blade CIS style reports, but it seems like a perfect add-on to the compliance blade which is already doing scans.

Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

Re: vulnerability scanning & compliance blade

the_rock — Fri, 25 Feb 2022 13:43:29 GMT

Thats true brother, I mixed up the two : - )

Re: vulnerability scanning & compliance blade

Daniel_Kavan — Mon, 28 Feb 2022 13:12:37 GMT

The only complication I can see is that Nessus recommends the same UID of 0 (the same as the admin user) for the two new users.

Scanning Check Point Gaia with Tenable Nessus

Re: vulnerability scanning & compliance blade

Chris_Atkinson — Mon, 28 Feb 2022 13:29:23 GMT

You should also consider sk100647 when you review your scanning results.