Support Center > Search Results > SecureKnowledge Details
New Compliance Blade enhancements for R81 Security Management Technical Level
Solution

R81 Security Management includes new enhancements and fixes for the Compliance Blade.

The following 16 new Security Best Practices/Checks were added to R81 for Security Gateway (and mostly for Gaia OS):

ID Name Description
FW205 Check that no rules are configured with both: Service & Applications set to Any and Action set to Accept The Service setting of Any should not be used for any policies that allow traffic. Create security policies specifying the desired ports. Check Point highly recommends that you do not select Any in the Service & Applications column. In particular, do not allow any service when the Action is selected as Accept.
OS130 Check that the password contains at least 12 characters Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. Check Point recommend that your password contains at least 12 characters.
OS131 Check that the password complexity requires four character types Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. Check Point recommends that your password contains upper case letters, lower case letters, numbers, and special characters.
OS132 Check that the password expiration value is set to a maximum of 365 days Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. Check Point recommends that you set the password expiration value to a maximum of 365 days, depending on your environment. This way, an attacker has a limited amount of time to compromise a user's password and gain access to your network resources.
OS133 Check that the password history is enabled The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced.
OS134 Check that the password history prohibits password reuse for a minimum of 3 generations The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced. Check Point recommends prohibiting password reuse for a minimum of 3 generations.
OS135 Check that the hashing algorithm for password storage is enabled For security reasons, you may want to store passwords in hashed form. This guards against the possibility that someone who gains unauthorized access to the database can retrieve the passwords of every user in the system. Check point recommend that you use the most recent hashing algorithm.
OS150 Check that there are defined TACACS+ Server IP address and key for authentication TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. Check Point recommends that you define the TACACS+ Server IP address and key for authentication.
OS155 Check that only permitted IP addresses are allowed to access and manage the Security Gateway via SSH and HTTPS By default, the Security Gateway for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your Management subnet. Allow only permitted IP addresses to access and manage the Security Gateway via SSH and HTTPS.
OS160 Check that SNMP agent usage is enabled SNMP monitoring is useful for anyone who is responsible for servers and network devices such as hosts, routers, hubs and switches. It lets you keep an eye on network and bandwidth usage, and track important issues such as uptime and traffic levels. Check Point recommends that you use SNMP Polling.
OS161 Check that the SNMP agent version is set to v3 SNMP v3 has added cryptographic security and new concepts, terminology, remote configuration, enhancements, and textual conventions. Check Point recommends that you use SNMP v3 Polling.
OS162 Check that the SNMP traps are configured to generate SNMP traps for system, traffic, or threat logs You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs.
OS163 Check that the SNMP clusterXLFailover trap is defined You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs. Check Point recommends that you apply the clusterXLFailover trap.
OS164 Check that the SNMP fanFailure trap is defined You can use logging and SNMP to monitor the fan status. If there are issues with the fan, you will be able to address them immediately.
OS165 Check that the SNMP lowDiskSpace trap is defined You can use logging and SNMP to monitor the disk space status. If you have low disk space, you will be able to address it immediately.
OS170 Check that Advanced Routing for OSFP is configured Open Shortest Path First (OSPF) is a popular link-state routing protocol. Network devices will exchange pieces of information in order to build a complete topology database.


The following Compliance technical issue were fixed in R81: 

Description
Fix for TM-504: Compliance blade results are altered by Cloud Gateway.
Compliance is shown as "poor" even though it is strong. 
Compliance Blade "Publish changes" takes a long time.
Fix for using ‘any’ in the service column for custom firewall best practice.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment