Support Center > Search Results > SecureKnowledge Details
ATRG: Compliance Blade (Pre-R80.10)
Solution

Table of Contents

  • Overview
  • Key Features
    • Best Practice Tests
    • Regulatory Compliance
    • Supported Regulatory Standards
    • Continuous Compliance Monitoring
    • Compliance Alerts
    • Optimal Performance
  • Working with the Check Point Compliance Blade
  • System Requirements
  • The Check Point Compliance Blade User Interface
    • The Overview Pane
    • Searching, Grouping, Sorting
    • Working with Alerts and System Messages
  • Enforcing Best Practices
    • Activating Best Practice tests
    • Deactivating Tests
    • Running a Manual Scan
  • Working with Regulatory Compliance
    • Activating and Deactivating Regulatory Standards
  • Working with Action Items
    • Corrective Steps
  • Running Reports
  • Exporting Data
  • Troubleshooting
    • Initial Installation of the Software
    • Licensing
    • Post install - Initial Scan
    • Resolution issues
    • Exclusions - Deactivating a Best Practice, or object within a Best Practice
    • Action Items
    • Save in Other Blades
    • Report Generation
    • Excel Export
    • Gateway Favorites
    • Inactive Objects
    • Install Policy
    • Help File
    • Scoring
    • "NA" Best Practices
    • Conditional Best Practices
  • Debugging
    • Rescan issues
  • Important Notes

 

Overview

The Check Point Compliance Blade is a dynamic solution that continuously monitors the Check Point security infrastructure. This unique product examines your Security Gateways, Blades, policies and configuration settings in real time. It compares them with an extensive database of regulatory standards and security best practices. The Check Point Compliance Blade includes many graphical displays and reports that show compliance with the applicable regulatory standards.

 

Key Features

  • Best Practice Tests

    The Check Point Compliance Blade has a library of Check Point-defined tests to use as a baseline for good gateway and policy configuration. A Best Practice test is related to specified regulations in different regulatory standards. It describes compliance status and recommends corrective steps.

    • Global Tests - Examine all applicable configuration settings in the organization.
    • Object-based Tests - Examine the configuration settings for specified objects (gateways, profiles and other objects).
  • Regulatory Compliance

    The Check Point Compliance Blade monitors the status of applicable regulations and shows them in an easy-to-read view. Each line shows the status, compliance score, and best practices for one or more related tests and for related gateways and policies.

  • Supported Regulatory Standards

    This Check Point Compliance Blade release supports these regulatory standards:

    Standard Location Description
    Australian Privacy Principles Australia
    The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act).
    Outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called 'APP entities') must handle, use and manage personal information.
    CIPA USA The Children's Internet Protection Act (CIPA) requires that K-12 schools and libraries in the United States use Internet filters and implement other measures to protect children from harmful online content as a condition for federal funding. It was signed into law on December 21, 2000, and was found to be constitutional by the United States Supreme Court on June 23, 2003.
    CJIS USA A joint program of the FBI, State Identification Bureaus, and CJIS Systems Agency, the Criminal Justice Information Services (CJIS) Security Policy outlines the security precautions that must be taken to protect sensitive information like fingerprints and criminal backgrounds gathered by local, state, and federal criminal justice and law enforcement agencies.
    The CJIS Security Policy contains specific requirements for wireless networking, remote access, encryption, certification of cryptographic modules, and minimum key lengths.
    CobiT 4.1 USA COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework and supporting tool set created by international professional association ISACA for information technology (IT) management and IT governance. COBIT allows managers to bridge the gap between control requirements, technical issues and business risks.
    DSD Australia First published in February 2010, and revised for 2014, the Australian Signals Directorate (ASD), also known as the Defence Signals Directorate (DSD), has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise' and industrial control systems.
    This guidance is informed by ASD's experience responding to cyber security incidents and performing vulnerability assessments and penetration testing Australian government organisations.
    FIPS 200 USA Federal Information Processing Standard (FIPS) Publication 200. It is the second of the mandatory security standards, FIPS 199 being the first one, defined by the Federal Information and Information Systems of the United States Federal Government. FIPS 200 is the Standards for Security Categorization.
    FIPS 200 standard emphases more security during the development, implementation, and operation of more secure information systems.
    FIPS 200 defines following 17 security areas covered under confidentiality, integrity, and availability (CIA) of federal information systems and the information processed, stored, and transmitted by those systems.
    Firewall STIG International Firewall Security Technical Implementation Guide (STIG) is a cybersecurity methodology for standardizing Firewalls.
    GLBA USA Gramm-Leach-Bliley Act. These regulations include financial privacy guidelines and safeguards related to information security.
    GPG13 UK Of the 35 guides, the Good Practice Guide 13 (GPG13) defines requirements for 12 Protective Monitoring Controls (PMC), which comprise of tasks such as event log management and use of intrusion detection and prevention systems. Local authorities are required to conform to GPG13 in order to prevent accidental or malicious data loss.
    As connection to GCSX encompasses access to sensitive and confidential data, compliance with GPG13 is imperative for protecting privacy and preventing data breaches. It is imperative that log is collected from systems that provide the security mechanisms.
    HIPAA Security USA Health Insurance Portability and Accountability Act of 1996. These regulations require government agencies, insurers and health care providers to protect all data that they collect, maintain or use.
    ISO 27001 International Standards for the implementation of Information Security Management Systems (ISMS). This standard includes 133 control objectives that cover organizational security architecture.
    ISO 27002 International Supplemental controls and best practices for implementation of Information Security Management Systems (ISMS). This standard includes detailed control objectives that are applicable to certain industries.
    ISO/IEC 27001_2013 International ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
    Katakri 3.0 Finland Katakri 3.0 refers to the Finnish National Security Authority's National Security Auditing Criteria. Katakri is divided into four sub-divisions: Administrative, Personnel, Physical, and Information Assurance. Katakri provides different levels of security requirements. The Check Point Katakri mapping is based on 'Requirements for the base level (IV)'.
    MAS TRM Singapore Various Technology Risk Management (TRM) guidelines for Monetary Authority of Singapore (MAS).
    NCIPA USA The Neighborhood Children's Internet Protection Act (NCIPA) sets guidelines for a library's "policy of Internet safety". This policy must address: "(I) access by minors to inappropriate matter on the Internet and World Wide Web; (II) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (III) unauthorized access, including so-called 'hacking', and other unlawful activities by minors online; (IV) unauthorized disclosure, use, and dissemination of personal identification information regarding minors; and (V) whether the school or library, as the case may be, is employing hardware, software, or other technological means to limit, monitor, or otherwise control or guide Internet access by minors". NCIPA also requires a library to "...provided reasonable public notice and held at least one public hearing or meeting which addressed the proposed Internet use policy."
    NERC CIP USA The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system.
    NERC CIP (v.5) USA The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system.
    On November 22, 2013, FERC approved Version 5 of the critical infrastructure protection cybersecurity standards (CIP Version 5), which represent significant progress in mitigating cyber risks to the bulk power system.
    In 2014, NERC initiated a program to help industry transition directly from the currently enforceable CIP Version 3 standards to CIP Version 5. The goal of the transition program is to improve industry’s understanding of the technical security requirements for CIP Version 5, as well as the expectations for compliance and enforcement.
    NIST 800-41 USA National Institute of Standards and Technology (NIST) guidelines for firewalls and firewall policies.
    NIST 800-53 USA National Institute of Standards and Technology (NIST) recommend security controls for federal government information systems and organizations.
    PCI DSS 2.0 USA PCI DSS 2.0 (Payment Card Industry Data Security Standard Version 2.0) is the second version of the Payment Card Industry Data Security Standard (PCI DSS) released in October 2010.
    PCI DSS 3.0 USA PCI DSS 3.0 (Payment Card Industry Data Security Standard Version 3.0) is the third version of the Payment Card Industry Data Security Standard (PCI DSS) released in November 2013.
    PPG 234 Australia Prudential Practice Guide (PPG) aims to assist regulated institutions in the management of security risk in information and information technology (IT). It is designed to provide guidance to senior management, risk management and IT security specialists (management and operational).
    The PPG targets areas where APRA continues to identify weaknesses as part of its ongoing supervisory activities. The PPG does not seek to provide an all encompassing framework, or to replace or endorse existing industry standards and guidelines.
    Protection of Personal Information Act, 2013 South Africa Protection of Personal Information (POPI) Act governs the way personal information is collected, stored, used, disseminated and deleted.
    SOX USA Sarbanes-Oxley (SOX) act is intended to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements.
    Statement of Controls (ISAE 3402) International International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting.
    UK Data Protection Act UK The British Data Protection Act controls how personal information is used by organisations, businesses or the government.

    Related solutions:

  • Continuous Compliance Monitoring

    Continuous Compliance Monitoring (CCM) is a dynamic technology that examines compliance parameters on an ongoing basis. The Check Point Compliance Blade uses CCM to examine Security Gateways and security policies on this basis:

    • Daily - Automatic scan one time each day, finds changes to gateway and policy configurations made with CLI or scripts.
    • SmartDashboard changes - Automatic scan when an administrator changes objects that have an effect on gateway or policy configuration.

    You can also run a manual scan, as necessary.

  • Compliance Alerts

    If administrator actions cause a degradation of the compliance status, the Check Point Compliance Blade displays an alert with details of the issue. It also generates an action item to monitor corrective steps.

  • Optimal Performance

    The Check Point Compliance Blade does not have an adverse effect on network throughput or client performance.

 

Working with the Check Point Compliance Blade

This is the recommended workflow for the Check Point Compliance Blade:

  1. View - Use the Check Point Compliance Blade tools to examine and monitor compliance status.
  2. Plan - Manage Check Point Compliance Blade automatically generated Action Items.
  3. Act - Correct compliance issues as recommended by the Action Items. You can see the updated compliance status when you run Check Point Compliance Blade scans.

 

System Requirements

  • Check Point Compliance Blade is supported starting in R77 GA.

  • For R75.40 and R75.45 versions, a special hotfix can be offered.

    See Check Point Compliance Blade R75.40 and R75.45 Release Notes.

    You cannot upgrade to higher versions when this hotfix is installed.
    If you do this, the Check Point Compliance Blade is not available.

 

The Check Point Compliance Blade User Interface

Connect with SmartDashboard to Security Management Server / Domain Management Server > go to 'Compliance' tab.

The 'Overview' pane shows the overall compliance status of your organization.
Select the different branches in the navigation tree to see more details.

Example:

The Navigation Tree contains different branches with more details:

  • Overview
  • Security Best Practices
  • Gateways
  • Regulatory Requirements
  • Messages and Action Items
  • Settings
  • Reports

 

  • The Overview Pane

    The 'Overview' pane shows the overall status for the organization with these elements:

    Widget Description
    Security Best Practices Compliance Displays compliance status information for each Best Practice.
    To see Best Practices recommendations filtered by status, click a status.
    To see all Best Practices, click on 'More Details'.
    Gateways Displays Security Status by Gateway - Security Gateways with the highest compliance scores, lowest compliance scores, or a predefined set of Favorites.
    To see the results for a specific Security Gateway, click on its name.
    To see the results for all gateways, click on 'See All Gateways'.
    Blades Displays Security Status by Blade - the average scores for the five Software Blades with the most Security Best Practices.
    To see the results for a specific Software Blade, click on that blade.
    To see the results for all Software Blades, click on 'More Details'.
    Regulatory Compliance Displays compliance statistics for selected regulatory standards, in accordance with Security Best Practice results:
    • Number of regulatory requirements examined for each regulatory standard
    • Average compliance scores
    The number of regulatory standards shown is dependent on your screen resolution.
    Action Items and Messages Displays the updated status of pending action items for your organization:
    • Upcoming - Action items with due dates in the next 30 days.
    • Future - Action items with due dates of more than 30 days.
    • Unscheduled - Action items without defined due dates.
    • Overdue - Action items that are overdue.

    Let us describe each widget:

    • Security Best Practices Compliance

      This widget displays compliance status information for each Best Practice.

      The Check Point Compliance Blade calculates a numeric score for each Best Practice test, which is the
      average of the results for each object examined. Average scores can be given for the organization, Security
      Gateways, Software Blades, and regulations.

      Example:

      This is the Check Point Compliance Blade scoring system:

      Security Status Score in %
      Low 0 - 50
      Medium 50 - 75
      High 75 - 99
      Secure 100
      N/A Not Applicable

      A category can show 'N/A' scores if:

      • The applicable Software Blade is not installed on the Security Management Server.
      • The Security Gateway does not support the examined feature.

      Many Best Practice tests are boolean: either compliant, or not.

      • Non-compliant score = 0
      • Compliant score = 100

      Other Best Practice tests calculate a score based on the degree of compliance.

      To see details of a Best Practice test:
      Click on the status category, or on 'More Details'.
      In the top table, see the results of the Best Practice tests:

      • Active - Select to activate the Best Practice test. Clear to deactivate it.
      • Blade - Blade related to this Best Practice.
      • ID - Check Point Compliance Blade ID assigned to the Best Practice.
      • Name - Name and brief description of the regulatory requirement.
      • Status - Low, Medium, High, Secure, or N/A. We recommend that you resolve "Low" status items immediately.

      In the bottom section, you can see these items for the selected test:

      • Description - What the selected Best Practice test looks for.
      • Action Item - Steps required to become complaint, which also includes alternative scenarios.
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - List of all regulatory standards that include the Best Practice test that generated the selected action item.
    • Gateways

      This widget displays Security Status by Gateway - the five Security Gateways with the highest compliance scores, lowest compliance scores, or a predefined set of Favorites.

      Example:

      To see the Best Practice test results for a specific Security Gateway, click on its name.

      To see the results for all gateways, click on "See All Gateways".

      Example:

      Click on a Security Gateway / Cluster object in this window to see the details.
      In the top table, see the Best Practice tests for the selected Security Gateway:

      • Software Blade
      • ID - Check Point Compliance Blade ID assigned to the Best Practice.
      • Name - Best Practice test name and brief description.
      • Status - Low, Medium, High, Secure, or N/A

      In the bottom part, you can see these items:

      • Description - What the test looks for
      • Action Item - Steps required to become complaint, which also includes alternative scenarios.
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - List of all regulatory standards that include the Best Practice test that generated the selected action item.
    • Blades

      This widget displays Security Status by Blade - the average scores for the five Software Blades with the most Security Best Practices.

      Example:

      To see the results for a specific Software Blade, click on that blade.

      To see the results for all Software Blades, click on "More Details".

      In the top table, see the Action Items for the selected blade:

      • Active - Select to activate the Best Practice test. Clear to deactivate it.
      • Blade - Blade related to this Best Practice.
      • ID - Check Point Compliance Blade ID assigned to the Best Practice.
      • Name - Name and brief description of the regulatory requirement.
      • Status - Low, Medium, High, Secure, or N/A. We recommend that you resolve "Low" status items immediately.

      In the bottom section, you can see these items for the selected Best Practice test:

      • Description - Detailed description of the Best Practice test.
      • Action Item - Steps required to become complaint, which also includes alternative scenarios.
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - List of all regulatory standards that include the Best Practice test that generated the selected action item.
    • Regulatory Compliance

      This widget displays compliance statistics for selected regulatory standards, in accordance with Security Best Practice results:

      • Number of regulatory requirements examined for each regulatory standard
      • Average compliance scores

      The number of regulatory standards shown is dependent on your screen resolution.

      To select the regulatory standards shown:

      1. Click the configuration icon in the top right corner of the pane.
      2. In the Select Regulations and Standards window, select the standards to show in the Overview.

      To see the compliance score for all regulatory requirements, click "See all Regulations". The All Regulatory Requirements window opens.
      To see details of a standard, click the name of the standard in the Overview pane or in the All Regulatory Requirements window. The Regulatory Requirements pane for the selected standard opens.
      In the top table, see the results of Best Practice tests for the selected regulatory standard:

      • Check Point Compliance Blade ID.
      • Status (Low, Medium, High, Secure, or N/A).
      • Name of the regulation, taken from the published standard.

      In the bottom section, you can see items for the selected regulation:

      • Description - What the standard requires.
      • Relevant Best Practices - Best Practice tests for the selected requirement, and their compliance status.
      • Relevant Objects - Objects related to the selected requirement and their status. You can activate or deactivate enforcement of the selected requirement for specified objects (this section shows only when the selected requirement is applicable to specified objects.)
    • Action Items and Messages

      This widget displays the updated status of pending action items for your organization:

      • Upcoming - Action items with due dates in the next 30 days.
      • Future - Action items with due dates of more than 30 days.
      • Unscheduled - Action items without defined due dates.
      • Overdue - Action items that are overdue.

      Note: It is a best practice to resolve overdue action items immediately.

      If you have a high resolution, then the Alert and System messages show in the bottom section of the pane. Use the arrows to scroll through the messages.

      If you have a low resolution, then two buttons show in the bottom section of the pane.

      • To see alert messages, click "Compliance Alerts". They open in the 'Overview' pane.
      • To see messages about the Check Point Compliance Blade, click "System Messages". They open in the 'Overview' pane.

      To open the action items for a status category, click that category or its section in the pie chart. The 'Action Items' pane opens.

      In the top table, see the pending Action Items:

      • Due Date - Optionally assigned due date for resolving this Action Item. A due Date is not automatically assigned when an Action Item is generated.
      • Related Software Blade
      • Check Point Compliance Blade ID
      • Status - Low, Medium, High, Secure, or N/A. We recommend that you resolve "Low" status items immediately.

      In the bottom section, you can see this information about the selected Action Items:

      • Action Item Description - Steps required to become complaint, which includes alternative scenarios.
      • Due Date - Optionally assigned due date for resolving this Action Item. You can assign or change a due date here (see "Working with Action Items").
      • Dependency - Shows when the selected Best Practice is dependent on a different Best Practice. The selected Best Practice test is not performed unless the other Best Practice test is compliant.
      • Relevant Objects - Objects related to the selected Best Practice test and their status. You can activate or deactivate the selected Best Practice test for specified objects (this section shows only when the selected Best Practice test is applicable to specified objects.)
      • Relevant Regulatory Requirements - List of all regulatory standards that include the Best Practice test that generated the selected action item.
  • Searching, Grouping, Sorting

    In the Check Point Compliance Blade panes, enter a string in the search field to filter results.

    To search for values in a field, enter: field_name:string

    To group results, select "Blade" or "Status" in the grouping field.

    To sort the results by values in field, click that field header.

  • Working with Alerts and System Messages

    You use the Alerts and System Message pane to see alerts generated when a configuration change causes compliance status degradation. You can also see messages that are automatically generated by the Check Point Compliance Blade.

    To see the details of a system message, double-click it. The Alert Details window opens.

 

Enforcing Best Practices

You can activate or deactivate Best Practice enforcement of tests by test (for the organization), by gateway, by Software Blade or by other objects. Activation changes are applied after the next scan.

  • Activating Best Practice tests

    By default, all Best Practice tests are active.

    To activate a Best Practice test that is not currently active:

    1. Select a Best Practice test in the top section, or in the Related Objects section.
    2. Select "Active".
  • Deactivating Tests

    You can deactivate Best Practice tests globally for the organization or for specified objects (gateways,
    blades or profiles).

    To deactivate a Best Practice test for all of the organization:

    1. In 'Compliance' tab > 'Best Practices', clear the "Active" option for the Best Practice test.
    2. When prompted, enter an explanation. A comment is required to show why it is necessary to stop running this compliance test.
    3. Optional: Define an expiration date. If you define an expiration date, the deactivated test is automatically activated on that date.

    To make a Best Practice test active again:

    1. Open 'Settings' > 'Inactive Objects'. De-activated Best Practice tests are shown in the Inactive Best Practices section.
    2. Select a Best Practice in the list.
    3. Click "Delete" (or select the Active option in the Best Practices pane.)

    To change the comment or expiration date:

    • Double-click a Best Practice test in the Inactive Objects pane.

    To deactivate Best Practice tests for specified gateways:

    1. Open 'Settings' > 'Inactive Objects'.
    2. In the Inactive Gateways section, click the "+" (plus) icon.
    3. Enter or select a gateway or cluster. The selected gateways show in the Inactive Gateways list.

    To remove a gateway from the Inactive Gateways list:

    1. Select the gateway.
    2. Click the "-" (minus) icon.
    3. When prompted, click "Yes".

    To deactivate a Best Practice test for a specified object:

    1. In 'Compliance' tab > 'Best Practices', select the Best Practice test.
    2. In the Relevant Objects section, clear the "Active" option for the object.

      An object can be a gateway, policy, profile or other object.

    3. When prompted, enter an explanation. A comment is required to show why it is necessary to stop running this compliance test.
    4. Optional: Define an expiration date. If you define an expiration date, the deactivated test is automatically activated on that date.

    To make an object active again for Best Practice tests:

    1. Open 'Settings' > 'Inactive Objects'. The de-activated Best Practice test is in the "Inactive Best Practices on Specific Objects" section.
    2. Select the Best Practice test.
    3. Click "Delete" (or select the Active option in 'Best Practices' > 'Relevant Objects' of the selected Best Practice test.)
  • Running a Manual Scan

    We recommend that you run a manual scan after:

    • You add objects to your Check Point environment.
    • You activate or de-activate a Best Practice test.

    To run a manual scan:

    1. Open the Compliance tab.
    2. In the Navigation tree, select "Settings".
    3. On the Settings page, click "Rescan".

    Note: While a scan is running, you cannot work with the Compliance tab.

 

Working with Regulatory Compliance

Regulatory Requirements shows the Check Point Compliance Blade Best Practice tests that examine compliance with the requirements of standards and regulations.

To see the regulations and their status:

  1. Go to the Compliance tab and expand "Regulatory Requirements".
  2. Click a regulatory standard. The selected regulatory standard pane opens.

Instructions:

  • Activating and Deactivating Regulatory Standards

    You can select the regulatory standards that are applicable to your organization. By default, all supported regulatory standards are active.

    To activate or deactivate regulatory standards:

    1. In the navigation tree, click "Settings".
    2. Select the regulatory standards that are applicable for your organization.
    3. Clear the regulatory standards that are not applicable for your organization.

    To test compliance with a standard:

    • Click "Rescan".

 

Working with Action Items

When a Best Practice test finds a deficiency, the Check Point Compliance Blade automatically generates an Action Item. You can assign a due date to an Action Item and monitor corrective steps. Action Items are not assigned a due date when they are generated.

When you complete the corrective steps, the Check Point Compliance Blade deletes the Action Item after the next scan.

To assign a due date for an Action Item:

  1. Open 'Messages and Action Items' > 'Action Items'.
  2. Select an Action Item.
  3. In the Action Item Description section, click "Schedule Now". If the Action Item already has an assigned due date, click "Change" to change it.
  4. In the window that opens, enter or select a due date and then click "OK".

To delete an action item:

  1. Deactivate the applicable Best Practice test (see "Deactivating Tests").
  2. Run a manual scan: 'Settings' > 'Rescan'.

Instructions:

  • Corrective Steps

    To resolve compliance issues, change the applicable configuration settings for:

    • Security Gateways
    • Software Blades
    • Policies and rules
    • Users and user groups
    • Computers and computer groups
    • Other SmartDashboard objects

    The Check Point Compliance Blade has features that help you to quickly implement corrective steps in SmartDashboard. The Action Items pane shows a helpful description for each Action Item, which gives suggestions to correct the related configuration. You can also correct some issues with the command line.

    You can correct many issues quickly and easily. For some objects, you can double-click the object in the Relevant Objects section to open its configuration window in SmartDashboard. For example, if you double-click a gateway object, the Gateway General Properties window opens. If you double-click a profile object, the General Properties window for that profile opens.

    If an Action Item does not have a link to an object, use the description to guide you through the configuration steps.

 

Running Reports

Generate reports for status summary and details of Best Practice tests and Action Items.

  • Overview - Shows the summary data included in the Overview pane:
    • Summaries of gateways
    • Summaries of regulatory standards
    • Detailed lists of Best Practice tests
    • Action items.
  • By Regulation - Shows a summary of the regulatory requirements and a detailed list of the Best Practice tests included in each requirement.

To generate a report, select "Reports" on the Navigation tree and then select a report. The report shows in a
pane with the report name as the title.

From the report pane, you can create reports in these output formats:

  • PDF document

  • Email with attached PDF document

  • Output to printer

  • Output HTML to your Web browser

 

Exporting Data

You can export the data shown in the selected pane to a Microsoft Excel® file. This lets you save the results for archiving, auditing, and analysis of historical trends and data relationships.

To export data to an Excel file:

  1. Open a Check Point Compliance Blade pane.
  2. Click "Export".
  3. Enter path and filename.
  4. Click "Save".

 

Troubleshooting

  • Initial Installation of the Software

    • Versions: R75.40 , R75.45 hotfix (see sk92470).

    • What can go wrong?

      1. Other Hotfixes already installed

        1. Other Hotfixes, based on R75.40 or R75.45, already installed
        2. During GRC Hotfix installation you might get an error message stating that another Hotfix is already installed and that it might be overridden.
        3. If you get this message, it is not recommended to select "Yes".
          If you select "Yes", the GRC Hotfix will be installed and the other Hotfixes might be overridden.
        4. If you say "No", than the GRC Hotfix will not be installed.
        5. If the customer encounters an issue that had been fixed in the past via a Check Point Hotfix, but appeared again after installing the GRC Hotfix, contact Check Point Support.
        6. Check Point Support should be able to get the relevant information either from the cpinfo or from the installation logs (/opt/CPInstLog/*, $FWDIR/log/upgrade_log.elg*).
          (The logs should specify any issue that occurs during installation, including overriding of an existing Hotfix.)


      2. Blade activation issues

        • Symptom: In SmartDashboard, in the Compliance Blade tab, you see "The compliance blade is not activated" message, and you cannot navigate in the tab's pages.

        • Troubleshooting:

          1. In SmartDashboard, check the Security Management Server object. Verify that the "Compliance Blade" box is checked in the Management Blades section.



          2. You can also verify that in the $FWDIR/conf/objects_5_0.C file, the correct value is set. Search for the string :compliance_blade and check that its value is "true".



      3. Connectivity to the Security Management Server / Multi-Domain Security Management Server

        • Symptom: If the Security Management Server IP Address that the customer used to login to the SmartDashboard is not identical to the IP Address set on the Management object, there will be problems with connectivity to the Security Management Server.

          1. If that is the case, then the customer may still be able to login and access the Compliance tab, but he will get "The compliance blade is not activated" message.
          2. This issue might be encountered when a user has configured his Security Management Server with 2 or more interfaces (One for logging in with SmartDashboard and one to communicate with the gateways). For example:

  • Licensing

    • No license installed error message

      1. If no license is installed, the user will probably encounter this error message for the first time, when user will try to access the Compliance Blade tab in SmartDashboard.
      2. Output of cplic print command is useful to troubleshoot such an issue:

        • The output should contain (at least) one of the following:

          • CPSB-COMP-U
          • CPSB-COMP-150
          • CPSB-COMP-50
          • CPSB-COMP-25
          • CPSB-COMP-5


    • Additional licensing issues: (conflicts, containers)

      • Scenario 1: Single Management

        • Customer must purchase a Compliance Blade license according to the number of (supported*) gateway objects.

          • If you have 3 gateways, you must buy a 5 gateway license.
          • If you have 10 gateways, you must buy a 25 gateway license.
          • If you have bought a 5 gateway license, but you have 6 (or more) gateways, the license will not work.
          • If you have bought a 5 gateway license, and you have 5 gateways, but you later add an additional gateway object, after the next scan, the license will cease to work.
          • The license is "additive".


        • *Supported Objects: The Compliance Blade currently only supports regular Gateways and Clusters.

          • This means that currently all other objects will not be taken into consideration when counting the licenses.
          • If a customer has a single Management, with 50 gateways, but only 5 are regular gateways, and the other 45 are Edge gateways, the customer can legitimately attach a 5 gateway license and it will work (because Check Point currently only counts "supported" objects).
          • For a gateway cluster network object with two gateway cluster members, the compliance blade license count would be for two gateways.



      • Scenario 2: Multiple Managements (but not Multi-Domain Management)

        • A license must be installed on each Management (assuming the customer wants to install the Compliance Blade on each Management).

          • If the customer has Management A with 5 gateways, and Management B with 20 gateways, he needs to buy a 5 gateway license for Management A, and a 20 gateway license for Management B.
          • He can not buy a 25 gateway license and split it between his two Managements.


        • All other comments are the same as for Single Management, above.


      • Scenario 3: Multi-Domain Management

        • Whatever license is installed on the Multi-Domain Management container, is pushed down to all the connected CMAs.

          • If there is a Multi-Domain Management, with CMA X, CMA Y, and CMA Z, and the customer installs a 5 gateway license on the Multi-Domain Management, a 5 gateway license is pushed down to CMA X, Y and Z.
          • Likewise, if he installs a 25 gateway license on the Multi-Domain Management, a 25 gateway license is pushed down to all connected CMAs.


        • Each CMA will be checked like a Single Management (see above):

          • If there are 10 supported gateways on the CMA, and the customer received a 5 gateway license from its linked Multi-Domain Management, the license will not work on this CMA.
          • If a customer has a Multi-Domain Management with 20 CMAs. 19 of the CMAs have 3 gateways each, and 1 CMA has 20 gateways. If he installs a 5 gateway license on the Multi-Domain Management, the license is pushed to all 20 CMAs, but only 19 of them will work.
          • If he installs a 25 gateway license on the Multi-Domain Management, all the CMAs will work.


  • Post install - Initial Scan

    • The initial full scan begins about 2-3 minutes after the first installation. You will get a notification in the Compliance Blade regarding the need to wait for the full scan to finish.
    • A full scan can take between 2 - 5 minutes. During this time, the SmartDashboard should work as usual.
    • The Compliance tab will not display any information until the scan is finished. Once the Full scan is finished, the user can access the information in the blade and he should not see a "Full scan is in progress" message in the top of the Overview.
  • Resolution issues

    • I can not see information, data is cut off, etc. - Under 1366x768: The data may be cut off. This is relevant only in the Overview (You can overcome this issue, by collapsing the side menu.)
    • Supported resolutions: Check Point supports 2 different thresholds of resolution: 1366x768 (laptop) and above. There is a slight difference in the Overview page.

      • 1366x768 - "Regulatory Compliance" widget displays only 3 regulations, and "Action Items and Messages" widget displays the actual records. Activate by using 3 buttons.

      • Above 1366x768 - "Regulatory Compliance" widget displays only 6 regulations, and "Action Items and Messages" widget displays all the data with no buttons. The data regarding the "Compliance Alerts & Messages" is a preview (contains short descriptions) and for the full details you need to access the menu items by the link.

  • Exclusions - Deactivating a Best Practice, or object within a Best Practice

    • Security Best Practice: if the customer has certain constraints that prevent him from configuring a Check Point Software Blade according to the recommendation, we enable to exclude individual Security Best Practices, by unchecking the "Active" field, along with the reason why it should be excluded and for which period of time.



      • What happens behind the scenes when we "deactivate" a Security Best Practice? Changes will take effect only after a "save" and full scan (either nightly, or manually executed by the user via the Settings screen). These effects are: the Action Item regarding this Best Practice disappears, statistics in the Overview should change accordingly, compliance of Regulations should change, as well.
      • How is the overall score recalculated? Each Security Best Practice gets a grade (percentage) and is given a status according to the thresholds.
        If the Security Best Practice is a Gateways / Profiles Best Practice, the grade is calculated as an average of the grades of each of its corresponding objects.
        If the Security Best Practice is a Global Properties Security Best Practice, the grade is calculated according to the Security Best Practice description (it may be only "true/false". We give "0/100". Or there can be levels for deciding the status according to the value tested)
        Each Security Best Practice is assigned to one or more regulatory requirements.
      • When is it recalculated? Next full scan.
      • Expiration date for deactivation: Expiration date for deactivation can be set. The status of the Security Best Practice or object in Security Best Practice is not relevant in the calculation until the expiration date has passed. Again, the full scan will check the expiration dates and take this into account for the calculations.


    • Gateway

      • After excluding a gateway, do we need to actively perform a scan or is it automatic?
        You need to perform a scan. The gateways status is calculated as the average of all the Security Best Practices running on this gateway. Meaning, Global Properties Security Best Practices are not included in the calculation. Security Best Practices that have been deactivated on a certain gateway are not included in the calculation, as well.


    • Regulation

      • Status of a requirement: Each Security Best Practice is assigned to one or more regulatory requirements. The status of a requirement is calculated as the average score of all the Security Best Practices assigned to this requirement. The score is a percentage and translated into a status according to the same thresholds logic.
      • How is the Regulation score impacted after a Security Best Practice is excluded? When does it change? After a Security Best Practice is deactivated (and full scan performed), the grade of the Regulation should be based on only the activated assigned Security Best Practices.
      • After excluding a gateway, do we need to actively perform a scan or is it automatic? After deactivating a gateway, a "save" and full scan is needed in order to recalculate all the Security Best Practice results. After this is done, the Regulation results will change, as well.
      • Are any processes being generated in the background? No processes are being generated. The system waits for the full scan.
  • Action Items

    • When setting a date, is there a process being run in the background? No process is being run. The only effect of the due date is the distribution of the statistics in the 'Overview' > 'Action Item' pie chart.
    • Date format errors: where is the date format taken from? The dates/time is checked and compared with the server time.
    • Overdue: At what point is it considered overdue? End of day? Beginning of day? Date and time are entered. It is overdue based on time set. (This is server based time.)
      • How do the Action Items interact with the daily scan? Once a Security Best Practice becomes 100% secure, its corresponding Action Item should disappear from the chart and Action Items screen (in the menu).
      • And the mini-scan? Once a Security Best Practice becomes 100% secure, its corresponding Action Item should disappear from the chart and Action Items screen.
  • Save in Other Blades

    • When pressing Save, a mini-scan takes place. What is the process? How long should it take? What is normal and what is abnormal (in terms of time range)?
      A mini-scan recalculates the relevant Security Best Practice (relevant to the objects changed in the last save). This process should take up to 30 seconds. At the end of the process, the user is notified if any Security Best Practice statuses have gotten worse with Security alerts.
      Some actions will require a full scan (no mini scan will be executed after the save): Adding/removing gateway objects, adding/removing blades from gateways, deactivating Security Best Practice or Security Best Practice objects, IP Address changes in Profiles or Protections.
    • When is "post-save" information updated in the Overview and Security Best Practice windows? After the mini-scan is finished (or full scan, as well), the GUI and data is updated automatically.
    • Generation of Compliance Alerts - process involved? Part of the mini scan (see above).
    • How the Save adds and removes Action Items based on the results? See "Action Items".
  • Report Generation

    • How is the data generated? Based on the results in the last scan (what is viewed in the system at that moment).
    • Format issues? - No export to Word. Permissions issue may cause the generation of the report to fail.
    • Export to PDF issues? Some paging issues still exist.
    • Export to email client? No issues.
  • Excel Export

    • What happens when I export data to Excel? Process involved? The Excel Export is based on the results in the last scan (what is viewed in the system at that moment).
  • Gateway Favorites

    • Process when I select / choose my favorites? The favorite gateways are saved on the local machine. Each user has his own favorites.
  • Inactive Objects

    • When editing a comment / timeframe of an Exclusion, is there a process in the background that updates somewhere? Requires a full scan to take effect.
    • How does the software know when to cancel the exclusion (reached the due date)? Requires a full scan to take effect.
    • Deleting an Exclusion - Requires a full scan to take effect. See "Exclusions - Deactivating a Best Practice, or object within a Best Practice".
  • Install Policy

    • When performing Install Policy, are there any GRC processes running that impact performance? No process is running.
    • Cancelling the Security Alerts post-install policy: What is the process here? Upon install policy, the user can decide to view the compliance report/view current Security alerts / delete the current Security alerts. If delete Security alerts is chosen, the alerts are deleted from the DB. No special process.
  • Help File

    • If the help text is not loading, what is it being linked to? Standard SmartDashboard help. Not specific to Compliance Blade.
  • Scoring

    • Scoring errors Should not be any.
  • "NA" Best Practices

    • When a Best Practice is displayed as "NA"
      NA score: Security Best Practice / Security Best Practice object may receive an "NA" status in the following situations:
      • The relevant blade of the Security Best Practice is not installed/purchased on the specific gateway.
      • The current Security Best Practice does not support the gateway version.
  • Conditional Best Practices

    • Dependent Best Practice: A Security Best Practice can be dependent on another Security Best Practice status. The current Security Best Practice will be tested only if the dependent Security Best Practice is above a specified threshold. If it is not above that threshold, the current Security Best Practice will be "NA".

 

Debugging

  • Rescan issues

    • Symptom: When trying to run rescan (from 'Compliance' tab > 'Settings' > 'Rescan'), the status changes to "pending ..." and rescan does not start after more than 20 seconds.

    • Troubleshooting and Debug:

      1. On the Security Management Server, make sure that there are no processes named "interpreter" (run ps -aux command to validate this)
      2. In GuiDBedit Tool:
        1. Go to 'Other' -> 'grc_test_elements'.
        2. Sort the table by the object name.
        3. Look for an object named "grc_interpreter" (there should be only one) and click on it.
        4. Look for the field_name "status".
        5. Right-click on that field and click "Reset".
        6. Save the changes: go to File menu - click on Save All.
        7. Close the GuiDBedit Tool.

      3. On the Security Management Server, run cpstop command.
      4. Edit the file /opt/CPPIgrc-R75.4X/bin/grc.conf: Set the value of debugMode to "1"
        Note: Starting from R77, edit the file $FWDIR/conf/grc.conf.
      5. Run cpstart command.
      6. Connect with SmartDashboard to Security Management Server / Domain Management Server.
      7. Go to 'Compliance' tab > 'Settings' > click 'Rescan'.
      8. Get the logs:
        • $FWDIR/log/fwm.elg.*
        • /opt/CPPIgrc-R75.4X/bin/grc_interpreter.elg*
          Note: Starting from R77, $FWDIR/log/grc_interpreter.elg*.
      9. In the $FWDIR/log/fwm.elg file, look for the string: "interpreter was requested to rerun".
        • If you find the string, we should look for additional information about the cause of the problem in the continuation of the log.
        • Otherwise/If instead you see "no pending requests found" - should coordinate with Contact Check Point Support.

 

Important Notes

  • The Compliance blade supports VSX Gateways / VSX Clusters running R77.20 and above.
    By design, the "Security Best Practices" for "Gaia OS" are not checked on VSX Gateways / VSX Clusters.
Applies To:
  • 01751376 , 01751692 , 02330794 , 02299817

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment