ID |
Name |
Description |
FW205 |
Check that no rules are configured with both: Service & Applications set to Any and Action set to Accept. |
The Service setting of Any should not be used for any policies that allow traffic. Create security policies specifying the desired ports. Check Point highly recommends that you do not select Any in the Service & Applications column. In particular, do not allow any service when the Action is selected as Accept. |
OS130 |
Check that the password contains at least 12 characters |
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. Check Point recommend that your password contains at least 12 characters. |
OS131 |
Check that the password complexity requires four character types |
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. Check Point recommends that your password contains upper case letters, lower case letters, numbers, and special characters. |
OS132 |
Check that the password expiration value is set to a maximum of 365 days |
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. Check Point recommends that you set the password expiration value to a maximum of 365 days, depending on your environment. This way, an attacker has a limited amount of time to compromise a user's password and gain access to your network resources. |
OS133 |
Check that the password history is enabled |
The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced. |
OS134 |
Check that the password history prohibits password reuse for a minimum of 3 generations |
The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced. Check Point recommends prohibiting password reuse for a minimum of 3 generations. |
OS135 |
Check that the hashing algorithm for password storage is enabled |
For security reasons, you may want to store passwords in hashed form. This guards against the possibility that someone who gains unauthorized access to the database can retrieve the passwords of every user in the system. Check point recommend that you use the most recent hashing algorithm. |
OS150 |
Check that there are defined TACACS+ Server IP address and key for authentication |
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. Check Point recommends that you define the TACACS+ Server IP address and key for authentication. |
OS155 |
Check that only permitted IP addresses are allowed to access and manage the Security Gateway via SSH and HTTPS |
By default, the Security Gateway for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your Management subnet. Allow only permitted IP addresses to access and manage the Security Gateway via SSH and HTTPS. |
OS160 |
Check that SNMP agent usage is enabled |
SNMP monitoring is useful for anyone who is responsible for servers and network devices such as hosts, routers, hubs and switches. It lets you keep an eye on network and bandwidth usage, and track important issues such as uptime and traffic levels. Check Point recommends that you use SNMP Polling. |
OS161 |
Check that the SNMP agent version is set to v3 |
SNMP v3 has added cryptographic security and new concepts, terminology, remote configuration, enhancements, and textual conventions. Check Point recommends that you use SNMP v3 Polling. |
OS162 |
Check that the SNMP traps are configured to generate SNMP traps for system, traffic, or threat logs |
You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs. |
OS163 |
Check that the SNMP clusterXLFailover trap is defined |
You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs. Check Point recommends that you apply the clusterXLFailover trap. |
OS164 |
Check that the SNMP fanFailure trap is defined |
You can use logging and SNMP to monitor the fan status. If there are issues with the fan, you will be able to address them immediately. |
OS165 |
Check that the SNMP lowDiskSpace trap is defined |
You can use logging and SNMP to monitor the disk space status. If you have low disk space, you will be able to address it immediately. |
OS170 |
Check that Advanced Routing for OSFP is configured |
Open Shortest Path First (OSPF) is a popular link-state routing protocol. Network devices will exchange pieces of information in order to build a complete topology database. |