Support Center > Search Results > SecureKnowledge Details
ATRG: Compliance Blade (R80.10 and higher) Technical Level
Solution

Table of Contents

  • Overview
  • Key Features
    • Best Practice Tests
    • Regulatory Compliance
    • Supported Regulatory Standards
    • Continuous Compliance Monitoring
    • Compliance Alerts
  • Working with the Check Point Compliance Blade
  • System Requirements
  • The Check Point Compliance Blade User Interface
    • The Overview Pane
    • Creating a User-Defined Security Best Practice for Firewall rules
    • Creating a User-Defined Gaia OS Best Practice
    • Searching, Grouping, Sorting
    • Working with Alerts and System Messages
  • Enforcing Best Practices
    • Activating Best Practice tests
    • Deactivating Tests
    • Running a Manual Scan
  • Working with Regulatory Compliance
    • Activating and Deactivating Regulatory Standards
    • How to Import a Regulation or Standard to the Compliance Blade
  • Working with Action Items
    • Corrective Steps
  • Running Reports
  • Exporting Data
  • Troubleshooting
    • Initial Installation of the Software
    • Licensing
    • Post install - Initial Scan
    • Resolution issues
    • Exclusions - Deactivating a Best Practice, or object within a Best Practice
    • Action Items
    • Save in Other Blades
    • Report Generation
    • Excel Export
    • Gateway Favorites
    • Inactive Objects
    • Install Policy
    • Help File
    • Scoring
    • "NA" Best Practices
    • Conditional Best Practices
  • Debugging
    • Rescan issues
  • Important Notes
  • R80.10 Compliance Blade SecureKnowledge Articles

 

Overview

The Check Point Compliance Blade is a dynamic solution that continuously monitors the Check Point security infrastructure. This unique product examines your Security Gateways, Blades, policies and configuration settings in real time. It compares them with an extensive database of regulatory standards and security best practices. The Check Point Compliance Blade includes many graphical displays and reports that show compliance with the applicable regulatory standards.

 

Key Features

  • Best Practice Tests

    The Check Point Compliance Blade has a library of Check Point-defined tests to use as a baseline for good gateway and policy configuration. A Best Practice test is related to specified regulations in different regulatory standards. It describes compliance status and recommends corrective steps.

    • Global Tests - Examine all applicable configuration settings in the organization.
    • Object-based Tests - Examine the configuration settings for specified objects (gateways, profiles and other objects).
  • Regulatory Compliance

    The Check Point Compliance Blade monitors the status of applicable regulations and shows them in an easy-to-read view. Each line shows the status, compliance score, and best practices for one or more related tests and for related gateways and policies.

  • Supported Regulatory Standards

    The Check Point Compliance Blade supports these regulatory standards:

    Standard Location Description Version
    Australian Privacy Principles (APP) Australia The Australian Privacy Principles (APPs) replace the National Privacy Principles and Information Privacy Principles and apply to organisations, and Australian, ACT and Norfolk Island Government agencies. The APPs reference here are taken from Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which amends the Privacy Act 1988. R77.30 and higher
    AUISM Australia AUISM -Australian Government Information Security Manual- The ISM helps organizations use their risk management framework to protect information and systems from cyber threats. The cyber security guidelines within the ISM are based on the experience of the ACSC within ASD. Can be imported to both R77.X or R80.X
    CIPA USA The Children's Internet Protection Act (CIPA) requires that K-12 schools and libraries in the United States use Internet filters and implement other measures to protect children from harmful online content as a condition for federal funding. It was signed into law on December 21, 2000, and was found to be constitutional by the United States Supreme Court on June 23, 2003. R77.30 and higher
    CJIS USA CJIS is the Criminal Justice Information Services Security Policy. The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. CJIS is divided into 12 individual policy areas. The controls listed here are referenced in Version 5.2, dated 08/09/2013. R77.30 and higher
    CobiT 4.1 (IT SOX) USA IT goals for ensuring system security. CobiT is also used as the basis for IT SOX compliance R77.30 and higher
    Cobit 5.0 International The requirements listed under CobiT 5.0 are taken from the Deliver, Service and Support IT Domain. Within this, the reference is specifically to DSS05: Manage Security Services. DSS05 is divided into seven requirements: 1) Protect against Malware; 2) Manage network and connectivity security; 3) Manage endpoint security; 4) Manage user identity and logical access; 5) Manage physical access to IT assets; 6) Manage sensitive documents and output devices; and 7) Monitor the infrastructure for security-related events. R80.20.M1 and higher
    Customer Security Programme (CSP) (SWIFT) While all customers are responsible for protecting their own environments, SWIFT has established the Customer Security Programme (CSP) to support customers in the fight against cyber-attacks.

    SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services.
    R80.20.M1 and higher
    DSD Australia Australia’s top 35 IT security mitigation strategies.
    FIPS 200 USA A requirement under FISMA that requires Federal organizations to comply with the Recommended Security Controls specified in NIST 800-53. R77.30 and higher
    DISA Firewall STIG USA Technical paper detailing guidelines to configure Firewalls R77.30 and higher
    GDPR International General Data Protection Regulation - Directive 95/46/EC of the European Parliament and of the Council seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States. R80.20.M1 and higher
    GLBA USA US regulation related to Financial Privacy and Safeguards R77.30 and higher
    GPG13 UK Good Practices Guide defines best practices from the UK government R77.30 and higher
    HIPAA Security USA Patient data protection act for Healthcare in the USA R77.30 and higher
    ISO 27001 International International framework for the management of Information Security R77.30 and higher
    ISO 27002 International Implementation guidelines for each of the 133 control objectives defined within ISO 27001 R77.30 and higher
    IT Grundschutz - Security Gateway Germany The IT-Grundschutz-Kataloge, ('IT Baseline Protection Manual') is a collection of documents from the German Federal Office for Security in Information Technology (BSI) that provides useful information for detecting weaknesses and combating attacks in the information technology environment. The Compliance Blade looks at Module S3: IT Systems, and specifically at the requirement S.3.301 Security Gateway (Firewall). Check Point has used the 2013 English translation provided by BSI. This is a sample of the overall regulation. R80.20.M1 and higher
    Katakri 3.0 Finland Katakri 3.0 refers to the Finnish National Security Authority's National Security Auditing Criteria. Katakri is divided into four sub-divisions: Administrative, Personnel, Physical, and Information Assurance. The mapping provided by Check Point has focused on Information Assurance. Katakri provides different levels of security requirements. The Check Point Katakri mapping is based on 'Requirements for the base level (IV)'. R77.30 and higher
    MAS TRM Singapore Technology Risk Management guidelines from the Monetary Authority of Singapore R77.30 and higher
    Mauritius Data Privacy Mauritius  The Mauritius Data Privacy Act of 2004 is to provide for the protection of the privacy rights of individuals in view of the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals. The Compliance Blade specifically refers to Section 27 (1) (a) that deals with Data Security. R80.20.M1 and higher
    N-CIPA USA The Neighborhood Children's Internet Protection Act (NCIPA) place restrictions on the use of funding that is available through the Library Services and Technology Act, Title III of the Elementary and Secondary Education Act, and on the Universal Service discount program known as the E-rate (Public Law 106-554). These restrictions take the form of requirements for Internet safety policies and technology which blocks or filters certain material from being accessed through the Internet. R77.30 and higher
    NERC CIP USA Cyber security requirements for Utility companies in the USA R77.30 and higher
    NERC CIP (v.5) USA The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system.
    On November 22, 2013, FERC approved Version 5 of the critical infrastructure protection cybersecurity standards (CIP Version 5), which represent significant progress in mitigating cyber risks to the bulk power system.
    In 2014, NERC initiated a program to help industry transition directly from the currently enforceable CIP Version 3 standards to CIP Version 5. The goal of the transition program is to improve industry’s understanding of the technical security requirements for CIP Version 5, as well as the expectations for compliance and enforcement.
    New York State Cybersecurity Regulation (NYDFS) N.Y. The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions.

    The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. Covered institutions must adhere to many of the new requirements by as early as August 28, 2017.
    R80.20.M1 and higher
    NIST 800-41 USA Guidelines on Firewalls and Firewall Policy from NIST R77.30 and higher
    NIST 800-53 USA Recommended security controls from NIST. Key document for FISMA and FIPS 200 requirements R77.30 and higher
    NIST 800-171 USA Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations: The protection of Controlled Unclassified Information (CUI) while residing in non-federal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This NIST 800-171 Special Publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI. R80.20.M1 and higher
    NZISM New Zealand New Zealand Information Security Manual-The New Zealand Information Security Manual details processes and controls essential for the protection of all New Zealand Government information and systems. Controls and processes representing good practice are also provided to enhance the essential, baseline controls. Baseline controls are minimum acceptable levels of controls. Essential controls are often described as 'systems hygiene'. Can be imported to both R77.X or R80.X
    PCI DSS 2.0 USA PCI DSS 2.0 (Payment Card Industry Data Security Standard Version 2.0) is the second version of the Payment Card Industry Data Security Standard (PCI DSS) released in October 2010. R77.30 and higher,

    3.1 - not available

    3.2 - R80.20.M1 and higher
    PCI DSS 3.0 USA PCI DSS 3.0 (Payment Card Industry Data Security Standard Version 3.0) is the third version of the Payment Card Industry Data Security Standard (PCI DSS) released in November 2013. (From R80.20, PCI-DSS 3.2)
    PCI-DSS 3.2.1 International PCI-DSS is a legal obligation mandated not by government but by the credit card companies. Any company that is involved in the transmission, processing or storage of credit card data, must be compliant with PCI-DSS. PCI is divided into 12 main requirements, and further broken down into approximately 200 control areas. There are different levels of PCI compliance depending on the number of transactions that are being processed by the company. Can be imported to both R77.X or R80.X
    PPG234 Australia This prudential practice guide (PPG) aims to assist regulated institutions in the management of security risk in information and information technology (IT). It is designed to provide guidance to senior management, risk management and IT security specialists (management and operational). R77.30 and higher
    Protection of Personal Information Act, 2013 (POPI) South Africa The Protection of Personal Information Act, 2013, is an official act of the Republic of South African parliament. This report refers specifically to Chapter 3 (Conditions for Lawful Processing of Personal Information), and more specifically Condition 7.19, Security Safeguards - Security measures on integrity and confidentiality of personal information. R77.30 and higher
    SANS Top 20 Critical Controls USA SANS Top 20 Critical Controls - SANS Institute, working in concert with the Center for Internet Security (CIS), has created a comprehensive security framework—the Critical Security Controls (CSC) for Effective Cyber Defense (often referred to as the SANS Top 20)1 —that provides organizations with a prioritized, highly focused set of actions that are implementable, usable, scalable, and compliant with global industry & government security requirements. These recommended security controls also serve as the foundation for many regulations & compliance frameworks, including NIST 800-53, PCI DSS 3.1, ISO 27002, CSA, HIPAA, and many others. R80.20.M1 and higher
    SOX USA Refers to the IT controls defined in the CobiT framework. The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. R77.30 and higher
    Statement of Controls (ISAE 3402) International International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting. R77.30 and higher
    UK Data Protection Act UK UK law that governs the protection of personal data R77.30 and higher
  • Continuous Compliance Monitoring

    Continuous Compliance Monitoring (CCM) is a dynamic technology that examines compliance parameters on an ongoing basis. The Check Point Compliance Blade uses CCM to examine Security Gateways and security policies on this basis:

    • Daily - Automatic scan one time each day, finds changes to gateway and policy configurations made with CLI or scripts.
    • SmartConsole changes - Automatic scan when an administrator changes objects that have an effect on gateway or policy configuration. (The scan occurs after you publish the changes.)

    You can also run a manual scan, as necessary.

  • Compliance Alerts

    If administrator actions cause a degradation of the compliance status, the Check Point Compliance Blade displays an alert with details of the issue. It also generates an action item to monitor corrective steps.

 

Working with the Check Point Compliance Blade

This is the recommended workflow for the Check Point Compliance Blade:

  1. View - Use the Check Point Compliance Blade tools to examine and monitor compliance status.
  2. Plan - Manage Check Point Compliance Blade automatically generated Action Items.
  3. Act - Correct compliance issues as recommended by the Action Items. You can see the updated compliance status when you run Check Point Compliance Blade scans.

 

System Requirements

 

The Check Point Compliance Blade User Interface

Connect with SmartConsole to Security Management Server / Domain Management Server and go to 'LOGS & MONITOR section > Add new tab > Open Compliance View'.

The 'Overview' pane shows the overall compliance status of your organization.

Example:

  • The Overview Pane

    The 'Overview' pane shows the overall status for the organization with these elements:

    Widget Description
    Security Best Practices Compliance Displays compliance status information for each Best Practice.
    To see Best Practices recommendations filtered by status, click a status.
    To see all Best Practices, click on 'See All...'.
    Gateways Displays Security Status by Gateway - Security Gateways with the highest compliance scores, lowest compliance scores, or a predefined set of Favorites.
    To see the results for a specific Security Gateway, click on its name.
    To see the results for all gateways, click on 'See All…'.
    Blades Displays Security Status by Blade - the average scores for the five Software Blades with the most Security Best Practices.
    To see the results for a specific Software Blade, click on that blade.
    To see the results for all Software Blades, click on 'See All...'.
    Regulatory Compliance Displays compliance statistics for selected regulatory standards, in accordance with Security Best Practice results:
    • Number of regulatory requirements examined for each regulatory standard
    • Average compliance scores
    The number of regulatory standards shown is dependent on your screen resolution.
    Action Items and Messages Displays the updated status of pending action items for your organization:
    • Upcoming items - Action items with due dates in the next 30 days.
    • Future items - Action items with due dates of more than 30 days.
    • Unscheduled items - Action items without defined due dates.
    • Overdue items - Action items that are overdue.

    Let us describe each widget:

    • Security Best Practices Compliance

      This widget displays compliance status information for each Best Practice.

      The Check Point Compliance Blade calculates a numeric score for each Best Practice test, which is the
      average of the results for each object examined. Average scores can be given for the organization, Security
      Gateways, Software Blades, and regulations.

      Example:

      This is the Check Point Compliance Blade scoring system:

      Security Status Score in %
      Poor 0 - 50
      Medium 50 - 75
      Good 75 - 99
      Secure 100
      N/A Not Applicable

      A category can show 'N/A' scores if:

      • The applicable Software Blade is not installed on the Security Management Server.
      • The Security Gateway does not support the examined feature.

      Many Best Practice tests are boolean: either compliant, or not.

      • Non-compliant score = 0
      • Compliant score = 100

      Other Best Practice tests calculate a score based on the degree of compliance.

      To see details of a Best Practice test:
      Click on the status category, or on 'See All…'.
      In the top table, see the results of the Best Practice tests:

      • Active - Select to activate the Best Practice test. Clear to deactivate it.
      • Blade - Blade related to this Best Practice.
      • ID - Check Point Compliance Blade ID assigned to the Best Practice.
      • Name - Name and brief description of the regulatory requirement.
      • Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve "Poor" status items immediately.

      In the bottom section, you can see these items for the selected test:

      • Description - What the selected Best Practice test looks for.
      • Action Item - Steps required to become complaint, which also includes alternative scenarios.
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - Link to show list of all regulatory standards that include the Best Practice test that generated the selected action item.
    • Gateways

      This widget displays Security Status by Gateway - the five Security Gateways with the highest compliance scores, lowest compliance scores, or a predefined set of Favorites.

      Example:

      To see the Best Practice test results for a specific Security Gateway, click on its name.

      To see the results for all gateways, click on "See All Gateways".

      Example:

      Click on a Security Gateway / Cluster object in this window to see the details.
      In the top table, see the Best Practice tests for the selected Security Gateway:

      • Blade
      • ID - Check Point Compliance Blade ID assigned to the Best Practice.
      • Name - Best Practice test name and brief description.
      • Status - Poor, Medium, Good, Secure, or N/A

      In the bottom part, you can see these items:

      • Description - What the test looks for
      • Action Item - Steps required to become complaint, which also includes alternative scenarios.
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - Link to show list of all regulatory standards that include the Best Practice test that generated the selected action item.
    • Blades

      This widget displays Security Status by Blade - the average scores for the five Software Blades with the most Security Best Practices.

      Example:

      To see the results for a specific Blade, click on that blade.

      To see the results for all Blades, click on "See All…".

      In the top table, see the Action Items for the selected blade:

      • Active - Select to activate the Best Practice test. Clear to deactivate it.
      • Blade - Blade related to this Best Practice.
      • ID - Check Point Compliance Blade ID assigned to the Best Practice.
      • Name - Name and brief description of the regulatory requirement.
      • Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve "Poor" status items immediately.

      In the bottom section, you can see these items for the selected Best Practice test:

      • Description - Detailed description of the Best Practice test.
      • Action Item - Steps required to become complaint, which also includes alternative scenarios.
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - Link to show list of all regulatory standards that include the Best Practice test that generated the selected action item.
    • Regulatory Compliance

      This widget displays compliance statistics for selected regulatory standards, in accordance with Security Best Practice results:

      • Number of regulatory requirements examined for each regulatory standard
      • Average compliance scores

      To select the regulatory standards shown:

      1. Click the configuration icon in the top right corner of the pane.
      2. In the Select Regulations and Standards window, select the standards to show in the Overview.

      To see the compliance score for all regulatory requirements, click "See all…". The All Regulatory Requirements window opens.
      To see details of a standard, click the name of the standard in the Overview pane or in the All Regulatory Requirements window. The Regulatory Requirements pane for the selected standard opens.
      In the top table, see the results of Best Practice tests for the selected regulatory standard:

      • Check Point Compliance Blade ID.
      • Status (Poor, Medium, Good, Secure, or N/A).
      • Name of the regulation, taken from the published standard.

      In the bottom section, you can see items for the selected regulation:

      • Description - What the standard requires.
      • Relevant Best Practices - Best Practice tests for the selected requirement, and their compliance status.
      • Relevant Objects - Objects related to the selected requirement and their status. You can activate or deactivate enforcement of the selected requirement for specified objects (this section shows only when the selected requirement is applicable to specified objects.)
    • Action Items and Messages

      This widget displays the updated status of pending action items for your organization:

      • Upcoming items - Action items with due dates in the next 30 days.
      • Future items - Action items with due dates of more than 30 days.
      • Unscheduled items - Action items without defined due dates.
      • Overdue items- Action items that are overdue.

      Note: It is a best practice to resolve overdue action items immediately.

      If you have a high resolution, then the Alert and System messages show in the bottom section of the pane. Use the arrows to scroll through the messages.

      If you have a low resolution, then two buttons show in the bottom section of the pane.

      • To see alert messages, click "Compliance Alerts". They open in the 'Overview' pane.
      • To see messages about the Check Point Compliance Blade, click "System Messages". They open in the 'Overview' pane.

      To open the action items for a status category, click that category. The 'Action Items' pane opens.

      In the top table, see the pending Action Items:

      • Due Date - Optionally assigned due date for resolving this Action Item. A due Date is not automatically assigned when an Action Item is generated.
      • Related Software Blade
      • Check Point Compliance Blade ID
      • Name
      • Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve "Poor" status items immediately.

      In the bottom section, you can see this information about the selected Action Items:

      • Action Item Description - Steps required to become complaint, which includes alternative scenarios.
      • Due Date - Optionally assigned due date for resolving this Action Item. You can assign or change a due date here (see "Working with Action Items").
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - Link to show list of all regulatory standards that include the Best Practice test that generated the selected action item.
  • Creating a User-Defined Security Best Practice for Firewall rules

    You can define your own, custom Security Best Practices based on organizational security requirements. This release supports user-defined Security Best Practices. You define user-defined Security Best Practices in the SmartConsole Compliance tab.

    To define a new Security Best Practice:

      1. In the 'Compliance tab > Security Best Practices pane', click "New".
      2. In the Best Practice Definition window, enter informational text in these fields:

        • Name and Description for this Best Practice.
        • Name and Description for the non-compliance Action Item generated by this best practice.

          Note: In this version, you cannot change the Relevant Blade option. It is automatically set to Firewall.

      1. In the "Best Practice Rule Definition" table, enter rule matching criteria in the table cells. Each cell matches one related field or parameter in Security Policy rules. A Security Best Practice match occurs when all table cells match one or more rules in the Rule Base (Logical AND).

          • Hit Count - Select a Hit Count level. A match occurs when the Hit Count for a rule is equal to or exceeds the specified Hit Count level.
          • Name - Select one of these match types:

            • Any - Matches all rules (default).
            • Blank - Matches all rules that do not have a name (null value).
            • Not blank - Matches all rules that have a name.
            • Exact - Enter a text string. A match occurs when the rule name is the same as the specified string.
            • Starts with - Enter a text string. A match occurs when the rule name starts with the specified string (case sensitive).
            • Ends with - Enter a text string. A match occurs when the rule name ends with the specified string (case sensitive).
            • Contains - Enter one or more text strings. A match occurs when a rule name contains the specified strings in the order you enter them (case sensitive).
          • Source - Select one or more source objects. A match occurs when at least one of the specified objects are included in the Source field of a rule.
          • Destination - Select one or more destination objects. A match occurs at least one more of the specified objects are included in the Destination field of the rule.
          • VPN - Select one or more VPN communities. A match occurs when at least one of the specified VPN communities are included in a rule.
          • Service - Select on or more services. A match occurs when at least one of the specified services are included in a rule.
          • Action - Select one or more actions. A match occurs when at least one of the specified actions are included in a rule.
          • Track - Select one or more tracking options. A match occurs when at least one of the specified tracking options are included in a rule.
          • Install on - Select one or more Gateway, Cluster, or group objects. A match occurs when at least one of the specified objects are included the "Install on" field of a rule.
          • Time - Select a time option that defines when the system enforces a rule. A match occurs when at least one specified time option is included in a rule.
          • Comments - Select a match type:

            • Any - Matches all rules (default).
            • Blank - Matches all rules that do not contain text in the Comment field (null value).
            • Not Blank - Matches all rules that contain text in the Comment field.
            • Exact - Enter a text string. A match occurs when the Comment field in a rule is the same as the specified string
            • Starts with - Enter a text string. A match occurs when the Comment field in a rule starts with the specified string (case sensitive).
            • Ends with - Enter a text string. A match occurs when the Comment field in a rule ends with the specified string (case sensitive).
            • Contains - Enter one or more text strings. A match occurs when a rule name contains the specified strings in the order you enter them (case sensitive).

        • Negate Cell - Right-click a cell to match all objects except the specified objects. This feature is not available for the Name and Comment cells.

          Note: If you use the Negate Cell option on a cell that contains the Any object, no match can occur. This is the same as a blank cell.

      1. Optional: Click "Advanced Settings" to define these advanced scope parameters:

          • Policy Range - Define the part of the Rule Base to scan for matches. There are two parameters:

            • Top or Bottom - Scan the top or bottom part of the Rule Base
            • Percentage - The percentage of the Rule Base to scan.

              For example, select Bottom 30% to scan 30% of the Rule Base starting from the bottom (last rule in the Rule Base).

        • Last Hit Date greater than - Select to include only rules that have at least one hit on, or after the specified time period. Select the number of time periods and the type of period.

          For example, select 2 Months to include only rules that have at least one hit during the last two months.

      1. Define how Compliance Blade creates a violation (Action Item) when a Security Best Practice matches a rule.

        • Rule found - A violation can occur when a rule matches the Security Best Practice (Default).
        • Rule not found - A violation can occur when no rules match the Security Best Practice.
        • Tolerance - A violation occurs when there are more than the specified number of matches (Default = 0). For example, if the tolerance is set to 0, the Compliance Blade creates a violation when the first match occurs. If the tolerance is set to 3, the Compliance Blade creates a violation when the fourth match occurs.

          Note: The tolerance option applies only to the Rule found option.

      1. Define when the Rule Index (Rule number) shows in the Relevant Objects pane.

        You can configure custom Security Best Practices to show the Rule in specified circumstances. This lets you easily see which rules cause or prevent violations.

        • Display rules that match - Shows Rules that match the specified criteria in a Security Best Practice.
        • Display rules that don't match - Shows Rules that do not match the specified criteria in a Security Best Practice.
        • Don't display rules - Does not show the Rule.

    1. Click "Save". 
    2. To see the status of your Security Best Practice, click "Preview". This feature runs the new Security Best Practice and shows the results in a window.

    To change an existing, user-defined Security Best Practice:

    1. In the 'Compliance tab > Security Best Practices pane', double-click a user-defined Security Best Practice.
    2. In the Best Practice Definition window, change the parameters and settings as shown in the above procedure.
    3. Click "Save".
  • Creating a User-Defined Gaia OS Best Practice

    Important: User-Defined Gaia OS Best Practices supported from R80.20 only.

      1. If the user is accessing Compliance Blade for the first time, then Navigate to 'LOGS & MONITOR' and click  "Open Compliance View". 


      1. Click "See All". 


      1. Click "+" to open New Best Practice dialog. 


      1. If the user is not accessing Compliance Blade for the first time, then navigate to 'LOGS & MONITOR > Compliance > Security Best Practices' and click "New".


      1. Enter Best Practice Name, Description, Action Item, Practice Script, Expected Output and click "OK".


      1. Your new Gaia Best Practice will be added to the list of Best Practices.


      1. Click "Publish".


      1. Navigate to 'MANAGE & SETTINGS'.


      1. Select 'Blades'.


      1. Select 'Compliance > Settings'.


    1. Select "Rescan".

    2. After Rescan, click "OK".
    3. Navigate to 'LOGS & MONITOR > Compliance'. The scan resuls for the new Gaia OS Best Practice are displayed.

  • Searching, Grouping, Sorting

    In the Check Point Compliance Blade panes, enter a string in the search field to filter results.

    To search for values in a field, enter: field_name:string

    To group results, select "Blade" or "Status" in the grouping field.

    To sort the results by values in field, click that field header.

  • Working with Alerts and System Messages

    You use the Alerts and System Message pane to see alerts generated when a configuration change causes compliance status degradation. You can also see messages that are automatically generated by the Check Point Compliance Blade.

    To see the details of a system message, double-click it. The Alert Details window opens.

Enforcing Best Practices

You can activate or deactivate Best Practice enforcement of tests by test (for the organization), by gateway, by Software Blade or by other objects. Activation changes are applied after the next scan.

  • Activating Best Practice tests

    By default, all Best Practice tests are active.

    To activate a Best Practice test that is not currently active:

    1. Select a Best Practice test in the top section, or in the Related Objects section.
    2. Select "Active".
  • Deactivating Tests

    You can deactivate Best Practice tests globally for the organization or for specified objects (gateways,
    blades or profiles).

    To deactivate a Best Practice test for all of the organization:

    1. In 'Compliance' tab > 'Security Best Practices Compliance' overview, clear the "Active" option for the Best Practice test.
    2. When prompted, enter an explanation. A comment is required to show why it is necessary to stop running this compliance test.
    3. Optional: Define an expiration date. If you define an expiration date, the deactivated test is automatically activated on that date.

    To make a Best Practice test active again:

    1. Navigate to 'MANAGE & SETTINGS' > 'Blades' > 'Compliance' > Open 'Inactive Objects...'. De-activated Best Practice tests are shown in the Inactive Security Best Practices section.
    2. Select a Best Practice in the list.
    3. Click "Remove" (or select the Active option in the Best Practices pane.)

    To change the comment or expiration date:

    • Double-click a Best Practice test in the Inactive Objects pane.

    To deactivate Best Practice tests for specified gateways:

    1. Navigate to 'MANAGE & SETTINGS' > 'Blades' > 'Compliance' > Open 'Inactive Objects...'.
    2. In the Inactive Gateways section, click the "Add" icon.
    3. Enter or select a gateway or cluster. The selected gateways show in the Inactive Gateways list.

    To remove a gateway from the Inactive Gateways list:

    1. Select the gateway.
    2. Click the "Remove" (X Remove) icon.
    3. When prompted, click "Yes".

    To deactivate a Best Practice test for a specified object:

    1. In 'Compliance' tab > 'Security Best Practices Compliance' overview, select the Best Practice test.
    2. In the Relevant Objects section, clear the "Active" option for the object.

      An object can be a gateway, policy, profile or other object.

    3. When prompted, enter an explanation. A comment is required to show why it is necessary to stop running this compliance test.
    4. Optional: Define an expiration date. If you define an expiration date, the deactivated test is automatically activated on that date.

    To make an object active again for Best Practice tests:

    1. Navigate to 'MANAGE & SETTINGS' > 'Blades' > 'Compliance' > Open 'Inactive Objects…'. The de-activated Best Practice test is in the "Inactive Security Best Practices on Specific Objects" section.
    2. Select the Best Practice test.
    3. Click "Remove" (or select the Active option in 'Best Practices' > 'Relevant Objects' of the selected Best Practice test.)
  • Running a Manual Scan

    We recommend that you run a manual scan after:

    • You add objects to your Check Point environment.
    • You activate or de-activate a Best Practice test.

    To run a manual scan:

    1. Navigate to 'MANAGE & SETTINGS' > 'Blades'.
    2. In Compliance section, click "Settings…".
    3. On the Settings page, click "Rescan".

    Note: While a scan is running, you cannot work with the Compliance tab.

Working with Regulatory Compliance

Regulatory Requirements shows the Check Point Compliance Blade Best Practice tests that examine compliance with the requirements of standards and regulations.

To see the regulations and their status:

  1. Navigate to 'LOGS & MONITOR'.
  2. Go to the Compliance tab and open in Regulatory Compliance pane 'See All' link.
  3. Click a regulatory standard. The selected regulatory standard pane opens.

Instructions:

  • Activating and Deactivating Regulatory Standards

    You can select the regulatory standards that are applicable to your organization. By default, all supported regulatory standards are active.

    To activate or deactivate regulatory standards:

    1. Navigate to 'MANAGE & SETTINGS' > 'Blades' > 'Compliance' > click "Settings…".
    2. Select the regulatory standards that are applicable for your organization.
    3. Clear the regulatory standards that are not applicable for your organization.

    To test compliance with a standard:

    • Click "Rescan".

How to Import a Regulation or Standard to the Compliance Blade

    1. Have an XML file saved locally. In order to import a new regulation or standard, you must have it saved locally as an XML file.
    2. Open up the Compliance Settings in the SmartConsole. In the Navigation Toolbar, click on 'Manage & Settings > Blades > Compliance' and click on the "Settings" button.

       

    1. Import the Regulation XML file. Go to the Actions drop-down list and select "Import".

       

    1. Select the XML file you want to import. Once selected, import the file. The regulation will now appear in your list of User-defined Regulations.

       

    1. Save the Regulation. Open the regulation by double-clicking on it. Press save and wait for the process to complete. This could take three to four minutes.

       

    1. Display the imported Regulation on your Compliance Dashboard.  Once the Regulation is imported, you can now add and manage it from your Compliance Dashboard.  In the Navigation Toolbar, click "Logs & Monitor" and open the Compliance Tab, or click on the configuration icon in the top right-hand corner of the pane, or select the Regulation you just imported and click "OK" to save.

       

  1. IMPORTANT NOTE: Remember that to save any SmartConsole changes, you must Publish those changes.

    Working with Action Items

    When a Best Practice test finds a deficiency, the Check Point Compliance Blade automatically generates an Action Item. You can assign a due date to an Action Item and monitor corrective steps. Action Items are not assigned a due date when they are generated.

    When you complete the corrective steps, the Check Point Compliance Blade deletes the Action Item after the next scan.

    To assign a due date for an Action Item:

    1. Navigate to 'LOGS & MONITOR'.
    2. Go to the Compliance tab > 'Action Items and Messages' > 'Pending Action Items' > 'Unscheduled items'.
    3. Select an Action Item.
    4. In the Action Item Description section, click "Schedule Now". If the Action Item already has an assigned due date, click on the date link to change it.
    5. In the window that opens, enter or select a due date and then click "OK".

    To delete an action item:

    1. Deactivate the applicable Best Practice test (see "Deactivating Tests").
    2. Run a manual scan: 'Settings' > 'Rescan'.

    Instructions:

    • Corrective Steps

      To resolve compliance issues, change the applicable configuration settings for:

      • Security Gateways
      • Software Blades
      • Policies and rules
      • Users and user groups
      • Computers and computer groups
      • Other SmartConsole objects

      The Check Point Compliance Blade has features that help you to quickly implement corrective steps in SmartConsole. The Action Items pane shows a helpful description for each Action Item, which gives suggestions to correct the related configuration. You can also correct some issues with the command line.

      You can correct issues by using the description to guide you through the configuration steps.

    Running Reports

    Generate reports for status summary and details of Best Practice tests and Action Items.

      • Compliance Blade - Shows the summary data included in the Overview pane:

        • Summaries of security best practices by status
        • Summaries of security alerts
        • Summaries of regulatory standards
        • Summaries of security status by blades
        • Detailed lists of Best Practice tests sorted by their status

        To generate a report, navigate to 'LOGS & MONITORS' > new tab > select "Reports" and then select 'Compliance Blade' report. The report shows in a pane with the report name as the title.

        From the report pane, you can create reports in these output formats:

        • Excel document
        • PDF document

    • Per Regulation - Shows a summary of the regulatory requirements and a detailed list of the Best Practice tests included in each requirement.

      To generate a report, navigate to 'LOGS & MONITORS' > Compliance > click on specific regulation > click on: "Generate Report". The report shows in a pane with the report name as the title.

      From the Report pane, you can create reports in these output formats:

      • PDF document
      • Email with attached PDF document
      • Output to printer
      • Output HTML to your Web browser

    Exporting Data

    You can export the data shown in the selected pane to a Microsoft Excel® file. This lets you save the results for archiving, auditing, and analysis of historical trends and data relationships.

    To export data to an Excel file:

    1. Open a Check Point Compliance Blade pane.
    2. Click "Options".
    3. Click "Export to Excel".
    4. Go to main page of all reports.
    5. Navigate to "Archive".
    6. Select the export report.
    7. Click "Download".
    8. Enter path and filename.
    9. Click "Save".

    Troubleshooting

    • Initial Installation of the Software

      • What can go wrong?

      1. Blade activation issues

        • Symptom: In SmartConsole, in the Compliance Blade tab, you see "The compliance blade is not activated" message, and you cannot navigate in the tab's pages, or in 'LOGS & MONITORS' when you open new tab, the "Open Compliance View" is not displayed.

        • Troubleshooting:

          1. In SmartConsole, check the Security Management Server object. Verify that the "Compliance Blade" box is checked in the Management Blades section.





      2. Connectivity to the Security Management Server / Multi-Domain Security Management Server

        • Symptom: If the Security Management Server IP Address that the customer used to login to the SmartConsole is not identical to the IP Address set on the Management object, there will be problems with connectivity to the Security Management Server.

          1. If that is the case, then the customer may still be able to login and access the Compliance tab, but he will get "The compliance blade is not activated" message.
          2. This issue might be encountered when a user has configured his Security Management Server with 2 or more interfaces (One for logging in with SmartConsole and one to communicate with the gateways). For example:

    • Licensing

      • No license installed error message

        1. If no license is installed, the user will probably encounter this error message for the first time, when user will try to access the Compliance Blade tab in SmartConsole.
        2. Output of cplic print command is useful to troubleshoot such an issue:

          • The output should contain (at least) one of the following:

            • CPSB-COMP-U
            • CPSB-COMP-150
            • CPSB-COMP-50
            • CPSB-COMP-25
            • CPSB-COMP-5


      • Additional licensing issues: (conflicts, containers)

        • Scenario 1: Single Management

          • Customer must purchase a Compliance Blade license according to the number of (supported*) gateway objects.

            • If you have 3 gateways, you must buy a 5 gateway license.
            • If you have 10 gateways, you must buy a 25 gateway license.
            • If you have bought a 5 gateway license, but you have 6 (or more) gateways, the license will not work.
            • If you have bought a 5 gateway license, and you have 5 gateways, but you later add an additional gateway object, after the next scan, the license will cease to work.
            • The license is "additive".


          • *Supported Objects: The Compliance Blade currently only supports regular Gateways and Clusters.

            • This means that currently all other objects will not be taken into consideration when counting the licenses.
            • If a customer has a single Management, with 50 gateways, but only 5 are regular gateways, and the other 45 are Edge gateways, the customer can legitimately attach a 5 gateway license and it will work (because Check Point currently only counts "supported" objects).
            • For a gateway cluster network object with two gateway cluster members, the compliance blade license count would be for two gateways.



        • Scenario 2: Multiple Managements (but not Multi-Domain Management)

          • A license must be installed on each Management (assuming the customer wants to install the Compliance Blade on each Management).

            • If the customer has Management A with 5 gateways, and Management B with 20 gateways, he needs to buy a 5 gateway license for Management A, and a gateway license for Management B that is equal or greater than the numbers of gateways attached to the Management.
            • He cannot buy a 25 gateway license and split it between his two Managements.


          • All other comments are the same as for Single Management, above.


        • Scenario 3: Multi-Domain Management

          • Whatever license is installed on the Multi-Domain Management container, is pushed down to all the connected CMAs.

            • If there is a Multi-Domain Management, with CMA X, CMA Y, and CMA Z, and the customer installs a 5 gateway license on the Multi-Domain Management, a 5 gateway license is pushed down to CMA X, Y and Z.
            • Likewise, if he installs a 25 gateway license on the Multi-Domain Management, a 25 gateway license is pushed down to all connected CMAs.


          • Each CMA will be checked like a Single Management (see above):

            • If there are 10 supported gateways on the CMA, and the customer received a 5 gateway license from its linked Multi-Domain Management, the license will not work on this CMA.
            • If a customer has a Multi-Domain Management with 20 CMAs. 19 of the CMAs have 3 gateways each, and 1 CMA has 20 gateways. If he installs a 5 gateway license on the Multi-Domain Management, the license is pushed to all 20 CMAs, but only 19 of them will work.
            • If he installs a 25 gateway license on the Multi-Domain Management, all the CMAs will work.


    • Post install - Initial Scan

      • The initial full scan begins about 2-3 minutes after the first installation. You will get a notification in the Compliance Blade regarding the need to wait for the full scan to finish.
      • A full scan can take between 2 - 5 minutes. During this time, the SmartConsole should work as usual.
      • The Compliance tab will not display any information until the scan is finished. Once the Full scan is finished, the user can access the information in the blade and he should not see a "Full scan is in progress" message in the top of the Overview.
    • Resolution issues

      • I can not see information, data is cut off, etc. - Under 1366x768: The data may be cut off. This is relevant only in the Overview (You can overcome this issue, by collapsing the side menu.)
      • Supported resolutions: Check Point supports 2 different thresholds of resolution: 1366x768 (laptop) and higher. There is a slight difference in the Overview page.

          • 1366x768 - "Action Items and Messages" widget displays the actual records. Activate by using 3 buttons.


        • Above 1366x768 - Action Items and Messages" widget displays all the data with no buttons. The data regarding the "Compliance Alerts & Messages" is a preview (contains short descriptions) and for the full details you need to access the menu items by the link.

    • Exclusions - Deactivating a Best Practice, or object within a Best Practice

      • Security Best Practice: if the customer has certain constraints that prevent him from configuring a Check Point Software Blade according to the recommendation, we enable to exclude individual Security Best Practices, by unchecking the "Active" field, along with the reason why it should be excluded and for which period of time.



        • What happens behind the scenes when we "deactivate" a Security Best Practice? Changes will take effect only after a "save" and full scan (either nightly, or manually executed by the user via the Settings screen). These effects are: the Action Item regarding this Best Practice disappears, statistics in the Overview should change accordingly, compliance of Regulations should change, as well.
        • How is the overall score recalculated? Each Security Best Practice gets a grade (percentage) and is given a status according to the thresholds.
          If the Security Best Practice is a Gateways / Profiles Best Practice, the grade is calculated as an average of the grades of each of its corresponding objects.
          If the Security Best Practice is a Global Properties Security Best Practice, the grade is calculated according to the Security Best Practice description (it may be only "true/false". We give "0/100". Or there can be levels for deciding the status according to the value tested)
          Each Security Best Practice is assigned to one or more regulatory requirements.
        • When is it recalculated? Next full scan.
        • Expiration date for deactivation: Expiration date for deactivation can be set. The status of the Security Best Practice or object in Security Best Practice is not relevant in the calculation until the expiration date has passed. Again, the full scan will check the expiration dates and take this into account for the calculations.


      • Gateway

        • After excluding a gateway, do we need to actively perform a scan or is it automatic?
          You need to perform a scan. The gateways status is calculated as the average of all the Security Best Practices running on this gateway. Meaning, Global Properties Security Best Practices are not included in the calculation. Security Best Practices that have been deactivated on a certain gateway are not included in the calculation, as well.


      • Regulation

        • Status of a requirement: Each Security Best Practice is assigned to one or more regulatory requirements. The status of a requirement is calculated as the average score of all the Security Best Practices assigned to this requirement. The score is a percentage and translated into a status according to the same thresholds logic.
        • How is the Regulation score impacted after a Security Best Practice is excluded? When does it change? After a Security Best Practice is deactivated (and full scan performed), the grade of the Regulation should be based on only the activated assigned Security Best Practices.
        • After excluding a gateway, do we need to actively perform a scan or is it automatic? After deactivating a gateway, a "save" and full scan is needed in order to recalculate all the Security Best Practice results. After this is done, the Regulation results will change, as well.
        • Are any processes being generated in the background? No processes are being generated. The system waits for the full scan.
    • Action Items

      • When setting a date, is there a process being run in the background? No process is being run. The only effect of the due date is the distribution of the statistics in the 'Overview' > 'Action Item'.
      • Date format errors: where is the date format taken from? The dates/time is checked and compared with the server time.
      • Overdue: At what point is it considered overdue? End of day? Beginning of day? Date and time are entered. It is overdue based on time set. (This is server based time.)
        • How do the Action Items interact with the daily scan? Once a Security Best Practice becomes 100% secure, its corresponding Action Item should disappear from the Action Items screen (in the menu).
        • And the mini-scan? Once a Security Best Practice becomes 100% secure, its corresponding Action Item should disappear from the Action Items screen.
    • Save in Other Blades

      • When pressing Save, a mini-scan takes place. What is the process? How long should it take? What is normal and what is abnormal (in terms of time range)?
        A mini-scan recalculates the relevant Security Best Practice (relevant to the objects changed in the last save). This process should take up to 30 seconds. At the end of the process, the user is notified if any Security Best Practice statuses have gotten worse with Security alerts.
        Some actions will require a full scan (no mini scan will be executed after the save): Adding/removing gateway objects, adding/removing blades from gateways, deactivating Security Best Practice or Security Best Practice objects, IP Address changes in Profiles or Protections.
      • When is "post-save" information updated in the Overview and Security Best Practice windows? After the mini-scan is finished (or full scan, as well), the GUI and data is updated automatically.
      • Generation of Compliance Alerts - process involved? Part of the mini scan (see above).
      • How the Save adds and removes Action Items based on the results? See "Action Items".
    • Report Generation

      • How is the data generated? Based on the results in the last scan (what is viewed in the system at that moment).
      • Format issues? - No export to Word. Permissions issue may cause the generation of the report to fail.
      • Export to PDF issues? Some paging issues still exist.
      • Export to email client? No issues.
    • Excel Export

      • What happens when I export data to Excel? Process involved? The Excel Export is based on the results in the last scan (what is viewed in the system at that moment).
    • Gateway Favorites

      • Process when I select / choose my favorites? The favorite gateways are saved on the local machine. Each user has his own favorites.
    • Inactive Objects

      • When editing a comment / timeframe of an Exclusion, is there a process in the background that updates somewhere? Requires a full scan to take effect.
      • How does the software know when to cancel the exclusion (reached the due date)? Requires a full scan to take effect.
      • Deleting an Exclusion - Requires a full scan to take effect. See "Exclusions - Deactivating a Best Practice, or object within a Best Practice".
    • Install Policy

      • When performing Install Policy, are there any GRC processes running that impact performance? No process is running.
      • Cancelling the Security Alerts post-install policy: What is the process here? Upon install policy, the user can decide to view the compliance report/view current Security alerts / delete the current Security alerts. If delete Security alerts is chosen, the alerts are deleted from the DB. No special process.
    • Help File

      • If the help text is not loading, what is it being linked to? Standard SmartConsole help. Not specific to Compliance Blade.
    • Scoring

      • Scoring errors Should not be any.
    • "NA" Best Practices

      • When a Best Practice is displayed as "NA"
        NA score: Security Best Practice / Security Best Practice object may receive an "NA" status in the following situations:
        • The security product is not enabled on the specific gateway.
        • Security Best Practices of type "OS" (Operating System) can only run on Check Point devices running the GAIA operating system, except for 61k and 64k appliances. For example, SMB devices run the GAIA Embedded operating system and therefore all OS best practices show N/A for each SMB gateway.
    • Conditional Best Practices

      • Dependent Best Practice: A Security Best Practice can be dependent on another Security Best Practice status. The current Security Best Practice will be tested only if the dependent Security Best Practice is above a specified threshold. If it is not above that threshold, the current Security Best Practice will be "NA".

    Debugging

    Rescan issues

    • Symptom: When trying to run rescan (from 'MANAGE & SETTINGS' > Blades > 'Compliance' section > 'Settings…' > 'Rescan'), the status changes to "pending ..." and rescan does not start after more than 20 seconds.

    • Troubleshooting and Debug:

      1. On the Security Management Server, make sure that there are no processes named "interpreter" (run ps -aux command to validate this)
      2. In GuiDBedit Tool:
        1. Go to 'Other' -> 'grc_test_elements'.
        2. Sort the table by the object name.
        3. Look for an object named "grc_interpreter" (there should be only one) and click on it.
        4. Look for the field_name "status".
        5. Right-click on that field and click "Reset".
        6. Save the changes: go to File menu - click on Save All.
        7. Close the GuiDBedit Tool.

      3. On the Security Management Server, run cpstop command.
      4. Edit the file /opt/CPPIgrc-R75.4X/bin/grc.conf: Set the value of debugMode to "1"
        Note: Starting from R77, edit the file $FWDIR/conf/grc.conf.
      5. Run cpstart command.
      6. Connect with SmartConsole to Security Management Server / Domain Management Server.
      7. Navigate to 'MANAGE & SETTINGS' > Blades > 'Compliance' section > 'Settings…' > click 'Rescan'.
      8. Get the logs:
        • $FWDIR/log/fwm.elg.*
        • /opt/CPPIgrc-R75.4X/bin/grc_interpreter.elg*
          Note: Starting from R77, $FWDIR/log/grc_interpreter.elg*.
      9. In the $FWDIR/log/fwm.elg file, look for the string: "interpreter was requested to rerun".
        • If you find the string, we should look for additional information about the cause of the problem in the continuation of the log.
        • Otherwise/If instead you see "no pending requests found" - should coordinate with Contact Check Point Support.

    Important Notes

    • The Compliance blade supports VSX Gateways / VSX Clusters running R77.20 and higher. By design, the "Security Best Practices" for "Gaia OS" are not checked on VSX Gateways / VSX Clusters.
    • The relevant object for APP & URLF practices are the Policies, since you need to handle them per policy (and not layer). As for inline layers, the parent rule of inline layers are usually not Src = 'Any' Dst ='Any' or 'Internet'. Hence, even though the inline layer rule states Src = 'Any' Dst ='Any' or 'Internet' , the traffic that reaches the inline layer for matching may be skipped because of the parent definition. 

    R80.10 Compliance Blade SecureKnowledge Articles

    Related Solution: sk92861 - ATRG: Compliance Blade (Pre-R80.10).

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment