Appendix A

In This Section: Advanced ICS Enforcement Using Deep Packet Inspection Configuration

Advanced ICS Enforcement Using Deep Packet Inspection

Deep Packet Inspection (DPI) is an advanced feature that can provide detailed logging, and enforce policy rules on functions and register values.

DPI Protocols

DPI works with these protocols:

• Modbus
• Distributed Network Protocol 3 (DNP3)
• IEC 60870-5-104
• CIP - Ethernet IP

DPI Categories

The ICS application (DPI) can enforce protection for these categories:

• Function code
• Unit ID
• Address Range
• Value
• Group

Prerequisites

DPI enforcement is limited to these Security Gateway versions:

Type	Version	Comments
Small and Medium Business Appliances (SMB)	R77.20.20 and higher
Security Gateway	R77.30	Requires CFG Jumbo Hotfix take 225 installation

These management versions can enforce policy on ICS DPI enabled gateways:

Version	Enforce DPI Policy	Comments
R77.30	V	Requires CFG Jumbo Hotfix take 225 installation. DPI application is available via SmartDashboard.
R80.10	V	Requires Hotfix installation. DPI application is available via API.
R80.20	V	DPI application is available via API.

Known Limitations - DPI

DPI ICS applications are currently not supported on these platforms:

• Security Management Portal for SMB appliances.
• Locally managed SMB appliances.
• R80.X Security Gateways.
• R77.30 - Multi-Domain Security Management Server is not supported.

Example for DPI Log for Modbus

Write multiple registers:

Configuration

Gateway

Installing Small and Medium Business Appliances (SMB)

Note - DPI is not supported on locally managed appliances.

To install the appliance:

See sk114815 for the relevant Administration Guide.

Upgrade your appliance to the latest available firmware.

Note - If inspection on internal traffic is needed, refer to the instructions in sk102296.

Installing R77.30 Security Gateway

To install the R77.30 Security Gateway:

Refer to sk92449 for downloading and installation procedures.

1. Download:
   • Check_Point_R77_30_JUMBO_HF_1_Bundle_T225_FULL.tgz
   • Check_Point_R77_30_JUMBO_SCADA_Bundle_FULL.tgz
2. Install R77.30 Security Gateway (download from sk104859).
3. Download and update the Deployment Agent.
4. Install the Jumbo Hotfix.
5. Install the SCADA Jumbo Hotfix.

Management

Installing R77.30 Management

1. Install the R77.30 Security Management Server (download from sk104859).
2. Install R77.30 add-on (download from sk105412).
3. Download the Deployment Agent. Refer to “Download the latest build of the CPUSE Agent package” in sk92449.
4. Update the Deployment Agent. Refer to “Manually install the CPUSE Agent package” in sk92449.
5. Download: Check_Point_R77_30_JUMBO_HF_1_Bundle_T225_FULL.tgz
6. Install the Jumbo Hotfix. Refer to “Import instructions for Offline procedure – Gaia Portal” in sk92449.
7. Download: Check_Point_R77_30_JUMBO_SCADA_Bundle_FULL.tgz
8. Install the ICS Jumbo Hotfix. Refer to “Import instructions for Offline procedure – Gaia Portal” in sk92449.
9. If your management will manage SMB appliances:
   1. Download: sfwr77_cmp_HOTFIX_GEYSER_COMP_HF_104.tgz

      See sk116729.

   2. Run: tar -xzvf
   3. Run: ./

10. Reboot.

Configuring DPI ICS application using SmartDashboard (for R77.30 Security Management):

Installing R80.10 Management

1. Install the R80.10 Security Management Server (download from sk111841).
2. Update the Deployment Agent.
3. Install the latest Hotfix accumulator.

Installing R80.20 Management

Install R80.20 Security Management Server.

Configuring R80.10 Management and Higher for R77.30 Gateways

When you use an R80.10 Security Management Server for R77.30 Security Gateways, make sure you have separate layers in the policy:

• Network - Set the implicit cleanup action to Drop.
• Application - Set the implicit cleanup action to Allow

For more information, see Check Point R80.10 Next Generation Security Gateway Guide -PreR80.10 Gateways: To create a Layer for URL Filtering and Application Control.

Configuring ICS Applications Using the Management API in R80.10

R80 adds a new way to read information and to send commands to the Check Point Security Management Server. Previously, you could use SmartConsole to create objects and work on the security policy. You can now do these using command line tools and through web-services . For more information see: https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20

To create an ICS application on R80.10 Security Management and higher, use one of these APIs:

• mgmt_cli tool
• SmartConsole CLI
• Gaia CLI
• Web Services

Note - In the next section, we show examples using the mgmt_cli tool. The commands must run in expert mode.

Prerequisite to use the examples below:

SSH client

Add ICS Application

Description

Creates new ICS application, which can be internalized with protocol name and protocol properties.

Command

Syntax

mgmt_cli add scada-application

Parameters

Parameter name	Value	Description
name	String	Required (can use uid instead). Should be unique in the domain.
uid	String	Required (can use name instead). Object unique identifier..
protocol	{Modbus, CIP, IEC104, DNP3}	Required. Protocol name. Must be one of the protocols listed.
function	Integer	The function in the protocol you wish to use. See the full list of commands in the appendix.
unit	Integer or integer range	The unit that this application should apply to.
address	Integer or integer range
value	Integer or integer range
group	Integer or integer range

Examples

Create new ICS application for Modbus unit no.3

mgmt_cli add scada-application name my_ics_app1 scada-properties.0.key protocol scada-properties. 0.value Modbus scada-properties.1.key unit scada-properties.1.value 3

Create new ICS application for CIP function, Set Attributes List (function no. 4)

mgmt_cli add scada-application name my_ics_app2 scada-properties.0.key protocol scada-properties. 0.value CIP scada-properties.1.key function scada-properties.1.value 4

Create new ICS application for IEC104 address 5

mgmt_cli add scada-application name my_ics_app3 scada-properties.0.key protocol scada-properties. 0.value IEC104 scada-properties.1.key address scada-properties.1.value 5

Show ICS Application

Description

Retrieve existing object list or specific application description using application name.

Command

Syntax

mgmt_cli show scada-applications

Or

mgmt_cli show scada-application

Parameters

Parameter name	Value	Description
name	String	Required (can use uid instead). Object name.
uid	String	Required (can use name instead). Object unique identifier..

Examples

Show all ICS applications

mgmt_cli show scada-applications

Show specific ICS applications named my_ics_app1

mgmt_cli show scada-application name my_ics_app1

Delete ICS Application

Description

Delete existing object using object name or uid.

Command

Syntax

mgmt_cli delete scada-application

Parameters

Parameter name	Value	Description
name	String	Required (can use uid instead). Object name.
uid	String	Required (can use name instead). Object unique identifier..

Examples

Delete ICS application named my_ics_appi

mgmt_cli delete scada-application name my_ics_app1

Edit ICS Application

Description

Edit existing application using object name or uid.

Command

Syntax

mgmt_cli set scada-application

Parameters

Parameter name	Value	Description
name	String	Required (can use uid instead). Object name. Should be unique in the domain.
uid	String	Required (can use name instead). Object unique identifier.
Protocol	{Modbus, CIP, IEC104, DNP3}	Required. Protocol name. Must be one of the protocols from the list.
function	Integer or integer range	The unit that this application should apply on.
unit	Integer or integer range
address	Integer or integer range
value	Integer or integer range
group	Integer or integer range

Examples

Edit ICS application named my_ics_app2

mgmt_cli set scada-application name my_ics_app2 scada-properties.0.key protocol scada-properties. 0.value CIP scada-properties.1.key function scada-properties.1.value 16