Hello Checkmates!
Got a question around what the best practice to get a current application object updated with missing service objects. I've searched around and can't seem to find a direct answer/path; looking for some guidance.
I've read through these two SKs and they seem to be more around custom apps that are either not defined by checkpoint or may need some signature 'tweaks' to the existing. (https://support.checkpoint.com/results/sk/sk103051)
This 'best practice' SK also doesn't seem to meet the case either (https://support.checkpoint.com/results/sk/sk165094)
Problem
- The application I am trying to update is for SAP. I have noticed that only a select few of the ports are being captured with this application and noticed that its only 'non' web-browsing ports defined is TCP 3200 and TCP 3370
- Other "SAP" applications within the management DB doesn't seem to capture all of them as well and also have questions on the signatures used
- Example is "SAP NetWeaver" that has TCP 3600-3699 & TCP 3900-3999 defined.
- Other example is "SNC for SAP NetWeaver", which lists only TCP 3200 but I see it matching higher TCP 32XX ports in logs???
- From working with some SAP application teams, it looks like there are ranges of TCP 3200-3299, TCP 3300-3399 & TCP 3600-3699 used for some S4/Hana and integration connections.
- These are not matching any existing "SAP" apps in the Checkpoint DB.
- When I compare the "SAP" application with other competitors, I do see additional ports defined in their application
- Palo Alto (https://applipedia.paloaltonetworks.com/) App name "sap"
- tcp/80,3200-3299,3300-3399,3600-3699,4800-4899,8000-8001,8010,8080,8100-8199,8443,50000-59914,443
- Fortinet
- Has a bunch of SAP ones that match the ports
Questions:
1) Is there a place for Checkpoint to update their application database or request for one? Common applications like SAP would seem to be a use case and try to see if there is something more than 'open a TAC case' or 'contact your account team' 🙂
2) If i have no issues with the current signatures but just the service ports, is 'best practice' to 'clone the existing application and customize the application from there?
3) If I want to check for application 'hits' after making a modification, do I need to place it explicitly in a rule or just need to install policy on the box so the application database updates? Referring to a log where I have 'extended' and/or 'detailed' set and see what application it would match?
4) "SNC for SAP NetWeaver" application states its only TCP 3200 but I see it hitting multiple ports (3214, 3215, 3216, etc). How is this matching the application if the service port range is not defined? Looked at it from a GuiDBedit perspective but couldn't find any service ports for any application. Is there another spot I would have to look so I can understand the accuracy of the service ports for each application?