This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
Advisor
‎2022-02-24 10:33 AM
Jump to solution

vulnerability scanning & compliance blade

Our ISSO wants to do nessus scanning for vulnerabilities even though we already have the compliance blade.    Is there any reason not to?  Has anyone run into issues with creating a user for nessus & letting it scan the firewall?   Is anyone else scanning their firewalls with Nessus?

I've requested in the past that CP adds CVE to the compliance blade.   It seems like it would be an easy and very helpful addition.  I know we have the web page that show the CVEs but this way we would also know which ones we've patched.

 

message from ISSO

Show me a report showing vulnerabilities report.  However, all I’ve seen are compliance reports.  Those are like CIS reports, not vulnerability reports.  Very different.  However, both are important. 

I’m looking for something that shows the current vulnerabilities (CVE’s) on the system. 

If you can produce that from the firewall not from a checkpoint list I’ll let it go.  If not, I really want a verified scan of the Firewall’s OS from Nessus.

1 Solution

Accepted Solutions
K_montalvo
Advisor
‎2022-02-24 01:26 PM
In response to the_rock
Jump to solution

Compliance its not the same as the vulnerabilities scanning, he would need to do a credentialed scan of the FW with Nessus. Any vulnerabilities would then need to be remediated in order to be in compliance with a specific security framework or internal policy. In case the scan is for the network the firewall shall not be in between as false positives or IPS may block scanning and/or not proper scanning would work.

 

 

View solution in original post

7 Replies
the_rock
Legend
Legend
‎2022-02-24 12:30 PM
Jump to solution

Thats a good point...maybe someone can confirm, but I dont believe you would get current vulnerabilities on the system with compliance blade. I will do some lab testing and check for you.

Andy

K_montalvo
Advisor
‎2022-02-24 01:26 PM
In response to the_rock
Jump to solution

Compliance its not the same as the vulnerabilities scanning, he would need to do a credentialed scan of the FW with Nessus. Any vulnerabilities would then need to be remediated in order to be in compliance with a specific security framework or internal policy. In case the scan is for the network the firewall shall not be in between as false positives or IPS may block scanning and/or not proper scanning would work.

 

 

the_rock
Legend
Legend
‎2022-02-25 05:43 AM
In response to K_montalvo
Jump to solution

Thats true brother, I mixed up the two : - )

Daniel_Kavan
Advisor
‎2022-02-28 05:12 AM
In response to K_montalvo
Jump to solution

The only complication I can see is that Nessus recommends the same UID of 0 (the same as the admin user) for the two new users.

Scanning Check Point Gaia with Tenable Nessus

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-28 05:29 AM
In response to Daniel_Kavan
Jump to solution

You should also consider sk100647 when you review your scanning results.

CCSM R77/R80/ELITE
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-24 02:41 PM
Jump to solution

Did you work with your local SE to open an RFE for this?
(For awareness there is also some coverage here in other areas e.g. PRO support.)

As your ISSO and others have highlighted these serve different purposes.

Though some might also question the usefulness of scanning a Firewall with Nessus, it sounds like independent/external validation is what your after.

CCSM R77/R80/ELITE
Daniel_Kavan
Advisor
‎2022-02-25 05:42 AM
In response to Chris_Atkinson
Jump to solution

done, o91118xT0

Yeah, CVE scans are different than the compliance blade CIS style reports, but it seems like a perfect add-on to the compliance blade which is already doing scans.

Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ...

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events