Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Scott_Paisley
Advisor

Periodic policy review

Hi

Firewall best practice suggests that every rule on the firewall should have a bunch of meta-data associated with it, like who requested it, who approved or implemented it, when it was implemented, and perhaps change tickets and audit trails of changes to the rule over time.

Checkpoint R80 does all of that, but the next stage of an audit suggests that each rule be reviewed periodically to make sure it is still necessary, that the systems it was created to support still exist or operate in the same way, and so on.

I understand 3rd party tools like Tufin offer this kind of functionality, but is there is something in Checkpoint in the audit features or compliance maybe that can list all the rules that are say 3 years old and should be reviewed now, and would allow the 'review' clock to be reset at that time?

Am I missing something obvious?

Thanks

0 Kudos
8 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Scott_Paisley,

As you described it.
We always use Tufin with SecureTrack and SecureChange.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
_Val_
Admin
Admin

@Corinne_Vakulen Can we leverage Compliance blade here?

0 Kudos
Corinne_Vakulen
Employee
Employee

Hi,

Compliance blade can definitely support your with what it called is the regulatory jargon "Continuous Monitoring".  The Compliance Best Practices will scan your CP environment and FW policies 24/7.  If any the rules violates any of the controls (best practice) defined in the blade by the company or Check Point, you will be notified by a Security Alert (also stored as a log) and information on the rule base will display as "Low, Medium or Poor" on your best practice status.  We will even provide you with the exact policy name and rules in violation.

Having said that,  Compliance comes with build in checks/best practices which do not always check all your organization demands.  Therefore, as you mentioned in your initial request, you can create your own User Best Practices to check and show specific rules that have not been reviewed for the past 3 years for example. You may search for the Compliance Admin Guide on our Support portal for usage instructions.

Corinne

0 Kudos
Scott_Paisley
Advisor

Thanks

I am familiar with the behaviour in your first paragraph. If we write a 'bad" rule it flags it

Your second paragraph sounds like what I am looking for. I will check the guide, but what is not apparent to me is how it knows when the rule was reviewed. That doesn't seem to be a visible field in the policy viewer.

0 Kudos
Scott_Paisley
Advisor

Hi

Maybe I am missing something. I can write a custom policy, but the only way I can see to do what I want is to put a 'review date' in the comments, and then search for that field and somehow work out how old it is. 

Is there a better way of doing this?

Thanks

0 Kudos
MarioB_1
Participant

How would system knew, which policies did you review?

It could know when did you create or modify a policy, but not when did you review it. When you review something, you have to flag it somehow. If that is done automaticaly (the review), than it looses its purpose.

The question is, does CheckPoint support timestamps for when was policy created/modified?

0 Kudos
Scott_Paisley
Advisor

Checkpoint does timestamp the policy creation date in metadata, but that doesn't survive an upgrade. Most of our policies have a creation date of the day we did the R80 migration. It may work from now on, but we still have the problem of audit. If I look for a rule that is 3 years old, and I don't change it, how do I know it was audited?

0 Kudos
MarioB_1
Participant

I am thinking of, putting in comments: Create date, Modify date and Audit date.

This way when you will be looking at the policy (Security or NAT) you will immediately know when was created, when was the last time modified and when was audited.

But You will have to stick to the process. It is not bulletproof.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events