Checkpoint option for DMZ-based update server

Garrett_DirSec · ‎2025-01-23

Hello Checkmates --

What are checkpoint options for deployment of dedicated "update server" to be placed on DMZ allowing Security Gateways to receive updates for advanced blade features.

This not a new topic for certain Govt networks and Utility SCADA networks where Internet isolation is best practice.

The keys:

1) advanced features enabled on Checkpoint gateways: IPS, Antibot, AppCtl.

2) checkpoint gateway can't talk outside local network (ie. can't communicate directly with Checkpoint public update servers).

3) granular communication to specific "update server" on DMZ is permissible.

Advise on thoughts. thx

Bob_Zimmerman · ‎2025-01-23

The term you should ask about is "Private Threat Cloud" or PTC. My environment has some. I strongly recommend against them. They've given us nothing but headaches.

Garrett_DirSec · ‎2025-01-23

Hello @Bob_Zimmerman -- thanks for the quick reply and insight.

Yes -- I suggest the customer will be excited about solution:

1) not a headache

2) no additional cost

Bob_Zimmerman

Speaking of headaches and PTCs, the firewalls which use the PTCs have been failing to get updates for a few days. The PTC health report said everything is fine. Turns out the certificates the PTCs present for the name updates.checkpoint.com just expired with no warning, and that isn't checked in the health report.

It's a minor issue, but frustrating. Cost some coworkers a few hours trying to figure out what was going on.

Chris_Atkinson · ‎2025-01-23

PTC or a Proxy are the solutions that come to mind.

CCSM R77/R80/ELITE

PhoneBoy · ‎2025-01-23

IPS and App Control have actual signatures that can be downloaded.
Most everything else is a dynamic lookup to ThreatCloud, for which you would need Private ThreatCloud: https://support.checkpoint.com/results/sk/sk149692

Are you a member of CheckMates?

Checkpoint option for DMZ-based update server