Danny Jung

Check Point configuration mistakes - Top 10

Discussion created by Danny Jung Champion on Aug 31, 2017
Latest reply on Oct 23, 2018 by 1ed54ed4-2409-4ee0-b942-4bf8a5ceb750

 

When reviewing Check Point security configurations I often experience similar configuration mistakes. Below is my Top 10 list of very typical mistakes with R77.x installations. Please share yours.

 

1. Missing documentation of actual configuration (network map, recent migration documents, comment fields)

2. Use of Non-standard ASCII characters or reserved words (improved in R80)
(sk105708, sk40768, sk104077, sk85540, sk106573, sk40179, sk34990)

3. On-board NICs, Broadcom NICs or Non-Intel NICs in use (Open Server)
(HCL NIC limitations, sk44584, Max Power Firewalls)

4. Missing segmentation of firewall management (SmartCenter) to secure the firewall infrastructure

5. Direct login into Bash shell for admin account or identical passwords for Clish login (User Mode) and Bash login (System Mode)
(most often to enable SCP file transers, because SCP-only shell is not known)

6. Missing firewall stealth rules in header of rulebase
(How to create a stealth rule)

7. Unidentified bridges between networks / Unidentified error messages in log files
(e.g. central firewall management was configured as gateway instead as host object and has two or more physical networks connected)

8. VPN tunnels are not consistently secured with VPN certificates
(How to set up certificate based VPNs with Check Point appliances)

9. Stateful inspection or IP address spoofing is disabled

10. Missing optimizations (CoreXL, SecureXL, drop & capacity optimization, rules not ordered by hit count, no use of color codes, missing naming convention etc.)

Outcomes