Slides are attached below.
Q&A is below.
In what versions is Compliance Blade available?
The compliance blade is included in all currently supported versions, and it is free of charge for the first year with the purchase of a Smart-1 appliance.
Why should customers who already have Tufin go ahead with Compliance Blade? What are the differences?
Compliance Blade looks at entire Check Point environment, Blades Gaia OS etc. Tufin looks at Firewall configs. Many customers use both.
Could you define the check by yourself if you can't find in pre-defined list?
Yes
I see blades (such as App Control) being highlighted as 'poor' security, when in fact the customer does not use them or have them enabled as they have another 3rd party web filtering product. Is this expected behavior? Or should I disable blade alerts in Compliance as they are not excluded by default?
Yes, the alerts should be disabled along with the relevant best practices.
We have a split environment (i.e. logging & SmartEvent on one server, policy management and compliance blade on another server). Is this a valid configuration?
This config is valid. Many customers use the same in their environment.
Can we enforce a best practice with compliance blade? (for instance, prevent certain policy configurations as setting "accept" as the action for the stealth rule)
Compliance Blade only flags issues. You can leverage SmartTasks to enforce specific policy requirements, but it requires scripting. R81.20 has a "four eyes" capability that can require a second set of eyes to review changes before they are published.
Can this interface be used with Harmony Endpoint Compliance blade, or is this strictly for gateway/security device compliance?
Currently, this is available for Quantum Security Gateways. Integration with Harmony Endpoint is on the roadmap.
How much is the average delay between the new version of standards and the upgrade in the Check Point modules?
Usually no more than 30 days from the release of the new regulation version. However, this largely depends on customer demand and may require an RFE.
How frequently do we need to check the compliance?
That is an organizational dependent answer.
What's the performance impact of an analysis for the Compliance Blade? If it's run every day, or every hour.. how much of a negative impact can we expect in our environment?
While the actual impact can vary depending on size, it can be noticeable (20% increase in CPU during the check). This is one reason the compliance checks are done once a day during off hours.
Does Compliance look at baseline configuration and identify OS and CLI configuration issues, like SSHv1 instead of SSHv2 enabled?
Compliance Blade looks primarily at the configuration in the Security Management. You can have it run a script on the gateway itself to determine compliance, but that script must be developed on your own.
Is there any warning before doing any change that will cause performance issues on the GW?
No, as that is out of scope of the compliance blade.
