Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor
Advisor

Check Point Firewall Admin Tasks

Dear Mates,

This is not a technical but it is more based on your exeperience with Checkpoint solutions.

What can one do when it is tasked with the responsability to become the admin of the checkpoint firewalls of a big company for the first time. What should one be busy with on his first weeks? take into account that the former admin is not willing to share any information and the new comer is certified CCSE but with limited experience.

Any help will be appreciated.

15 Replies
Terry_Greensil1
Participant

With no documentation or handover I would start with the following...

CHANGE ALL ADMIN/ROOT PASSWORDS!

Full inventory of gateways including versions, vendor support expiry.

Create a network infrastructure diagram

Identify top risky rules.

Look at security dashboard to bring any security risky or compromised assets to the table.

Failover testing

Performance monitoring

Identify none used rules and objects - (Cleanup)

Plan an improvement program. I.E a move to central security manager if you are not there already.

Any blades that could be enabled to improve security - Next gen blades like IPS and HTTPS inspection ect

Check Point Endpoint protection roll-out should you wish.

Danny
Champion Champion
Champion

Checking out this place already is a very good point to start.

As you are missing experience, you could set up a test lab for trying out things before you perform any changes on your production environment. Also I strongly recommend attending a CCSA/CCSE training course at your next ATC to get back on track.

I've put together the following ressources you might find useful :

Check Point Support Resources - Top 10

Check Point Support Tools - Top 10

Check Point configuration mistakes - Top 10

Common Check Point Commands (ccc)

HowTo Set Up Certificate Based VPNs with Check Point Appliances

Di_Junior
Advisor
Advisor

Hi Danny thanks for the advices. I do have my labs and I practice all the time. I got my CCSE in less than a year, and I will practice everything in the course material and beyond. The only things is that now I can only practice with R80.10 because R77.30 is somehow no longer working on open servers because of license issues. Before there used to be the 15 days,.

0 Kudos
AlekseiShelepov
Advisor

If it is because of license, then you can create an evaluation license for 1 month or use a nice option for CheckMates - license for 1 year. New installations still have 15-day trial license.

Most probably it is not connected with licensing though, but to a well-known issue sk122612 

0 Kudos
Di_Junior
Advisor
Advisor

Hi Danny thanks for the advices. I do have my labs and I practice all the time. I got my CCSE in less than a year, and I will practice everything in the course material and beyond. The only things is that now I can only practice with R80.10 because R77.30 is somehow no longer working on open servers because of license issues. Before there used to be the 15 days,.

0 Kudos
Joshua_Hatter
Employee
Employee

Make sure the Management Server is backed up 6 ways to Sunday and store it in 3 different locations!!! Gateways can be replaced, thousands of network objects and 1000 rule policies are slightly more challenging to get back if lost.

This SK goes over backup/snapshot/export and what you get with each.

Best Practices - Backup on Gaia OS 

G_W_Albrecht
Legend
Legend

If the former admin is not willing to share any information, the company should sue him - they will have to spend much money to keep the installation securely working...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Sven_Glock
Advisor

I don't want to say items double, but for me this is most important:

CHANGE ALL ADMIN/ROOT PASSWORDS, delete local user accounts and start creating a network diagraph of the whole infrastructure.

Look for users that can be deleted in Check Point SmartCenter or Multi-Domain-Managent - especially the one of the former admin.

Try to get in contact with your Check Point Sales and Check Point Sales Engineer.

They can help you with general Check Point problems.

Try to get administrator and primary contact of your companies Check Point User Center Account and kick all other users or reduce their rights to a minimum  - especially the one of the former admin. The usercenter account has all our Check Point licenses. They should not fall in wrong hands.

Try to find out which support contract you have with Check Point. I urgent cases Check Point support can help to solve issues - depending on your support level.

The rest was already said...

Good luck!

Jake_Williams
Participant

One thing not listed in the great responses above is to really understand the rulebase. Why are some of the rules in place, and how is the rulebase structured? If you had to add a new rule, would you know where to put it and what all the existing rules/objects mean? I've taken over for other admins or joined teams before, and really understanding a complex rulebase can take some time. 

To expand more on one of the comments, definitely spend time with your Checkpoint SE and/or your VAR SE, as they may have some good information about how your company is working or why they are doing certain things. Maybe you don't have IPS enabled because it broke something when the former admin tried - they may know the answer.

0 Kudos
Mark_Gurevich
Contributor

Check and remove all unnecessary local users on GW as well as on Mgmt aside with just changing admin password mentioned above

0 Kudos
Pablo_Munoz
Employee Employee
Employee

As a general suggestion from Support perspective, make sure you have an inventory with all your Check Point appliances (Mgmt + GWs) and try to have these details handy:

- Hostname

- Version

- Enabled SW blades ('enabled_blades' command)

- Custom hotfix level, if any special hotfixes (cpinfo -y all... this will come in handy when creating cases with support)

- Jumbo Hotfix level on each appliance ('installed_jumbo_take' for R77.30 / 'cpinfo -y all' for R80.10)

- IP address/mask

- MAC address (needed for RMA purposes)

- Service contract dates

You can also log into your UserCenter account and check any previous tickets that were created for any of those appliances, this may give you a good understanding of the general issues (if any) that previous admins have experienced.

Have a good backup policy (save configuration/backup/mds_backup/snapshot, anything... everything!!). Very important - Get the backups out of the appliance)

Make sure you have enough disk space on appliances (df -h), specially log/mgmt servers.... if you have SmartEvent, check here too.

If you want to go one step further, you can even run the health check script from sk121447 on each appliance... very easy to do, and it can get you a starting point to see your devices' current status.

Ultimately, make sure you have supported/upgraded versions everywhere... lots of enhancements and new code have been added to the latest releases:

sk106162 - R77.30 Jumbo Hotfixes

sk116380 - R80.10 Jumbo Hotfixes

As some people already mentioned, change passwords/users. I cannot stress this enough Smiley Happy

You can also run something like "top" on each appliance just to get an idea of how much load it's handling, potentially identifying any device that's constantly at more than ~ 60-80% CPU usage during business hours (may need further review to understand why, or may even need to be replaced with a more powerful unit if it's handling too much load all the time)

Hope this helps!

Jerry
Mentor
Mentor

maybe just to add to the topic - one more thing to start learning when you inherit such estate ...

- get to know your network and infrastructure surrounding Check Point products

- absorb how routing and switching is working with appropiate vlans and virtual devices all around

- get to know how your policies control traffic flow around your gateways

- as well as get to know what is the performance of your estate and what resources runs on each box - do little audit mate what have you got left memory, cpu and disk space wise (df -ahl) and run on each box cpview (new tool) in order to see what have you got inherited in a real life scenarios.

hope it helps Smiley Happy 

Jerry

Jerry
0 Kudos
Sven_Glock
Advisor

One more thing:

Try to find out if your company has to comply to specific regulations like PCIDSS, SOX, ISO, HIPAA, Basel, NIST etc. pp. and check if your network and all what belongs to the network is compliant.

0 Kudos
Di_Junior
Advisor
Advisor

Dear All,

I wish to thank you all for your contributions with regards to the question above.

I have officially taken over the position.

Regards

Petr_Hantak
Advisor
Advisor

Maybe one more thing from my side. It was already mention above that it is good to have inventory list with device names, SW version, support, etc.

I recommend also to check hardware status itself. If is still good enogh and compare it with Support Life Cycle Policy 

It is good to be prepared for ring on bell that the renewal is already needed or will be need soon.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events