Re: SCADA protocols DPI Visibility and Enforcement

Eyal_Rashelbach · ‎2017-07-19

#There is a confusion with our SCADA support definitions.

What is DPI (Deep Packet/Protocol Inspection)?
Which protocols are supported in DPI level ?
What are our enforcement capabilities with regards to DPI?

So, let’s use the following update from R&D to make some order in this repeated question.

We have 3 levels of Protocol support by Application Control Blade:

1^st level - Protocol Identification – we have over 15 different identified protocols
2^nd level - Function (Command) level.
An updated list may be found in appwiki.checkpoint.com – currently 918 commands support >15 different protocols.
3^rd level - Deep Protocol Inspection
Ability to identify Parameters within the commands, such as Values and Addresses
(can’t be seen in appwiki.checkpoint.com and therefore the report below gives the current status).

All the 4 protocols below are identified in the 3 levels:

Protocol	Ability to identify protocol	Ability to identify commands within protocol	Ability to identify parameters within protocol
Modbus	YES	YES	YES
IEC104	YES	YES	YES
DNP3	YES	YES	YES
CIP	YES	YES	YES

As you can see below, the ability to Log detailed information (Addresses and Values) and supply high visibility (in DPI level), doesn’t equal to our ability to Enforce policies based on all details – See the differences in the following tables:

Ability to log:

Protocol	Unit ID	Function	Address	Group	Value
Modbus	V	V	V		V (only for registers)
IEC104	V	V	V		V
DNP3		V	V	V	V
CIP	V	V	V		V

Ability to enforce :

Protocol	Unit ID	Function	Address	Group	Value
Modbus	V	V	V		V (only for registers)
IEC104	V	V	V		V
DNP3		V	V	V
CIP	V	V	V

SCADA Set-Up and Troubleshooting

Follow installation instructions from Release Notes at SK106020:

For Management Side:
- Install R77.30
- Install R77.30 add-on
- Update Deployment Agent
- Install CFG jumbo hotfix take 225
- Install SCADA hotfix
- If managing 1200R, then install BC package
For Gateway Side:
- Install R77.30
- Update Deployment Agent
- Install CFG jumbo hotfix take 225
- Install SCADA hotfix
Install SmartConsole from Release Notes at SK106020
Installing it will allow the administrator to create custom SCADA applications for relevant protocols
Rulebase: Make sure “complete log” is the selected tracking option
Application Control blade. SCADA is run as application, Make sure it is checked under Gateway properties
For each protocol you wish to apply Deep Packet Inspection (DPI), you will need to first create a custom SCADA application for that protocol and then create a rule with “complete log”

Feel free to ask any question you might have.

Thanks to Mati Epstein‌ for this elaboration

PhoneBoy · ‎2017-07-19

This is great information, thanks for sharing!

Evan_Dumas · ‎2017-07-25

Hey https://community.checkpoint.com/people/eyalre2474d7c-0b58-4fab-8e04-107bb8721a28‌ do we have any commentary on why the status for logging and enforcement is in the current status? and any plans for modification or enhacement?

Eyal_Rashelbach · ‎2017-07-25

Hi i'm not sure what do you refer in:
"...the status for logging and enforcement is in the current status? "

If you referred to the Ability to log and Ability to enforce tables above, pls. note they are not completely the same...

Regarding modification or enhancements if you have special requests please issue RFE

Maciej_Maczka · ‎2017-10-25

Hi,

Can we do this on R80.10?

MM

Ivan_Pedraza · ‎2017-10-27

Thanks a lot!! is it possible with R80.10?

Maciej_Maczka · ‎2017-11-06

Hi,

can you please update instructions as sk106020 was removed?

Best Regards

MM

DeletedUser · ‎2017-11-08

As of today the sk106020 access level is internal. Am sure this will change, but for now you'll have to contact your Check Point rep to get access.

hth,

bob

Iain_Keir1 · ‎2017-11-16

Given that sk106020 is now internal, is the above process still the Check Point endorsed method of delivering their ICS solution? If so it seems very prohibitive.

Iain
CISSP

Eyal_Rashelbach · ‎2017-11-16

Yes, The process is the same.

We work to simplified the clean I.

Yet the policy setting will be the same.

Best Regards,

Eyal Rashelbach

David_PALA · ‎2017-12-08

Hey Bob !

Any "public" release date for the SK as we urgently need it, and asking our rep will take too loooooonnnnnnggggg...?

🙂

TIA

Best Regards

David

Raymond_Chin · ‎2017-12-18

Can this be done on a 1200R appliance standalone?

G_W_Albrecht · ‎2018-02-07

Here, you do have a Applications & URL Filtering category "SCADA Protocols" - but you can not see what it contains. sk105738 lists: Application Control: Introducing the extended ICS SCADA offering with over 10 protocols (e.g: Modbus, DNP3, OPC, IEC-104, etc.), 500 command-level monitoring as well as granular parameter visibility of Modbus traffic.

But there is no mentioning of SCADA neither in Local or Central Admin Guide nor in any sk...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Shlomi_Feldman · ‎2018-02-18

Hi Guenther,

could please explain me what is the issue you are claiming above?

do you want to know what is the SK which describe the extended SCADA capabilities?

G_W_Albrecht · ‎2018-02-18

Hi Shlomi,

i claim no issue, but wrote that the only place i found referring to SCADA details is sk105738 - so if you you know the SK which describe the extended SCADA capabilities fpr Embedded GAIA devices, please let me know!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Richard_Quick · ‎2018-05-16

Can someone please point me to the documentation to change Level 2 & Level 3 settings for ICS protocols when using R80.10 MDS and R80.10 Gateway versions? We see this is possible with R77.30 but are missing the information for R80.10.

PhoneBoy · ‎2018-05-16

Some of those settings are not yet available in R80.10 (particularly the Level 3 settings).

Shlomi_Feldman · ‎2018-05-20

level 3 settings are available in R80.10 and it is possible to develop a SCADA application by CLI (no UI yet)

PhoneBoy · ‎2018-05-21

Is there docs we can point at that explains how to do this?

Shlomi_Feldman · ‎2018-05-21

you can find it [linked removed by admin]

PhoneBoy · ‎2018-05-22

Is that info available externally for customers?

Pablo_Barriga · ‎2018-05-22

Could you please post some of the commands required to achive that, on version 77.30 I just needed o modify the database to get those options.

Shlomi_Feldman · ‎2018-05-22

Pablo.

In 77.30 you needed to install a specific HF and then you had UI for generating DPI applications.

In 80.10 after you install the HF, you are able to generate the DPI application but without UI using CLI.

The CLI syntax can be found in the document I attached yesterday.

Examples:
mgmt_cli add scada-application name modbus_unit_3 scada-properties.0.key protocol scada-properties.0.value Modbus scada-properties.1.key unit scada-properties.1.value 3
mgmt_cli add scada-application name cip_function_4 scada-properties.0.key protocol scada-properties.0.value CIP scada-properties.1.key function scada-properties.1.value 4

Pablo_Barriga · ‎2018-05-23

thanks for the information

Ken_Coyer1 · ‎2018-05-23

Shlomi, this must be an internal link because it does not take me anywhere.

PhoneBoy · ‎2018-05-23

It's an internal link.

Shlomi Feldman‌ can you share the relevant details from that link to CheckMates?

Marcos_Vieira · ‎2020-09-15

I think this is an internal site as pointed by PhoneBoy in his comment below. I was unable to access it.

Are you a member of CheckMates?

SCADA protocols DPI Visibility and Enforcement