Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor

vulnerability scanning & compliance blade

Jump to solution

Our ISSO wants to do nessus scanning for vulnerabilities even though we already have the compliance blade.    Is there any reason not to?  Has anyone run into issues with creating a user for nessus & letting it scan the firewall?   Is anyone else scanning their firewalls with Nessus?

I've requested in the past that CP adds CVE to the compliance blade.   It seems like it would be an easy and very helpful addition.  I know we have the web page that show the CVEs but this way we would also know which ones we've patched.

 

message from ISSO

Show me a report showing vulnerabilities report.  However, all I’ve seen are compliance reports.  Those are like CIS reports, not vulnerability reports.  Very different.  However, both are important. 

I’m looking for something that shows the current vulnerabilities (CVE’s) on the system. 

If you can produce that from the firewall not from a checkpoint list I’ll let it go.  If not, I really want a verified scan of the Firewall’s OS from Nessus.

1 Solution

Accepted Solutions
K_montalvo
Advisor

Compliance its not the same as the vulnerabilities scanning, he would need to do a credentialed scan of the FW with Nessus. Any vulnerabilities would then need to be remediated in order to be in compliance with a specific security framework or internal policy. In case the scan is for the network the firewall shall not be in between as false positives or IPS may block scanning and/or not proper scanning would work.

 

 

View solution in original post

7 Replies
the_rock
Champion
Champion

Thats a good point...maybe someone can confirm, but I dont believe you would get current vulnerabilities on the system with compliance blade. I will do some lab testing and check for you.

Andy

K_montalvo
Advisor

Compliance its not the same as the vulnerabilities scanning, he would need to do a credentialed scan of the FW with Nessus. Any vulnerabilities would then need to be remediated in order to be in compliance with a specific security framework or internal policy. In case the scan is for the network the firewall shall not be in between as false positives or IPS may block scanning and/or not proper scanning would work.

 

 

the_rock
Champion
Champion

Thats true brother, I mixed up the two : - )

Daniel_Kavan
Advisor

The only complication I can see is that Nessus recommends the same UID of 0 (the same as the admin user) for the two new users.

Scanning Check Point Gaia with Tenable Nessus

0 Kudos

You should also consider sk100647 when you review your scanning results.

0 Kudos

Did you work with your local SE to open an RFE for this?
(For awareness there is also some coverage here in other areas e.g. PRO support.)

As your ISSO and others have highlighted these serve different purposes.

Though some might also question the usefulness of scanning a Firewall with Nessus, it sounds like independent/external validation is what your after.

Daniel_Kavan
Advisor

done, o91118xT0

Yeah, CVE scans are different than the compliance blade CIS style reports, but it seems like a perfect add-on to the compliance blade which is already doing scans.

Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ...

 

 

0 Kudos