topic Common Criteria EAL4+ R82 in General Topics

Common Criteria EAL4+ R82

Malcolm_Levy — Thu, 17 Apr 2025 18:54:08 GMT

Check Point R82 for Gateway and Maestro Configurations

I’m pleased to be able to announce that the German BSI has awarded a Common Criteria EAL4+ certification augmented by ALC_FLR.1 and AVA_VAN.4 for R82.

The German BSI is held in very high regard and known for the unique criteria and stringent process it applies when evaluating products.

Relevant documentation for the certificate, Security Target, Administrator Guide and Evaluation report will be published by the BSI, the Common Criteria portal and from sk181211

Malcolm

Re: Common Criteria EAL4+ R82

the_rock — Thu, 17 Apr 2025 18:59:50 GMT

Congrats!

Re: Common Criteria EAL4+ R82

Nüüül — Thu, 17 Apr 2025 20:48:58 GMT

Great one! Congratulations

I am keen to see the Install and Config Guides.

One question about

Important Limitations: To obtain the evaluated configuration, the administrator is required to configure the TOE according to instructions provided in the Installation and Configuration Guide. After completion, non-TOE functionality will be disabled. This configuration does not support standard jumbo hotfixes. Flaw remediation will be provided through Customer Support via opening a support request.

Do you have an idea how long the delay is between normal JHF Release and TOE JHF? Will the hotfixes go through validations at BSI again? If yes, what about major fixes - are they accelerated? (I´m sure, some customers will ask such things 🙂 )

I tried to get out of the document, which features / blades are supported or excluded. Is there any?

Thanks

Re: Common Criteria EAL4+ R82

Malcolm_Levy — Fri, 18 Apr 2025 05:21:54 GMT

The limitations are standard wordings of Common Criteria certifications. The wordings are motivated by certification Schemes that wish to protect their integrity and reputation for a possible fallout should a customer not abide by this advice and then expose themself to a potential vulnerability.

I'm not aware of customers that follow this advice, and my understanding is that most are pragmatic and use the certification for the assurance it provides and as one consideration in their risk analysis for how to protect their assets which may be best served by also using unevaluated features.

It is also worth noting that for certification expediency we disable CPMI and therefore SmartConsole. This is not due to a risk, where the administrator is configured to be on a protected network, but due to the heavy load in evidence creation and testing that allowing CPMI or SmartConsole would require.

There will not be equivalent TOE JHFs, due to the work that would be required, and that there is no simple path for their certification. The path of a hot fix and its potential certification could happen if a CVE is discovered. Thankfully these are very rare in Check Point.

The TOE is very similar to the one we had for R81.10, with the obvious advantage of being on R82 that supports the latest appliances.

Re: Common Criteria EAL4+ R82

HeikoAnkenbrand — Mon, 09 Jun 2025 18:48:08 GMT

Here are all the original documents from Check Point and the German Federal Office for Information Security (BSI)

German Federal Office for Information Security - BSI-DSZ-CC-1207-2025:
- Certification Report
- Security Target
- Certificate

Check Point:
- sk181211: R82 Common Criteria EAL4+ AVA_VAN.4 BSI Certification
- BSI R82 Common Criteria EAL4+ AVA_VAN.4 Certification - Security Gateway Image for sk181211
- BSI R82 Common Criteria EAL4+ AVA_VAN.4 Certification - Installation and Configuration Guide for sk181211

Re: Common Criteria EAL4+ R82

Malcolm_Levy — Mon, 09 Jun 2025 18:48:11 GMT

Thanks, and the link to the BSI certified products where this is shown

BSI - Certified products according to CC - Current certificates according to CC