Working with the Compliance Blade

In This Section:

The Overview pane shows the overall compliance status of your organization. Select the different branches in the navigation tree to see more details.

To work with the Compliance Blade in SmartDashboard, go to the Compliance tab in SmartDashboard.

To work with the Compliance Blade in Multi-Domain Security Management, go to the Compliance tab in SmartDomain Manager (R77.20 and Higher).

The Overview Pane

The Overview pane shows:

Element	What can I do here?
Security Best Practices Compliance	See the compliance distribution by Security Best Practice status
Security Status by Gateways	See compliance scores for selected Security Gateways
Security Status by Blade	See compliance scores and Security Best Practices by blade
Regulatory Compliance	See a summary of compliance with different regulations
Action Items and Messages	See action items, compliance alerts, and system messages

Security Best Practices Compliance

The Compliance Blade uses Security Best Practices to make sure that Security Policy rules comply with Check Point configuration or policy recommendations. Each Security Best Practice contains criteria that match specified parameters in Security Policy rules or configuration settings.

The Compliance Blade includes many predefined Security Best Practices. In versions R77.20 and higher you can define your own custom Security Best Practices.

The Compliance Blade calculates a numeric score for each Security Best Practice, which is the average of the results for each object examined. Scores can show for the organization, Security Gateways, Software Blades, and regulations.

This is the Compliance Blade scoring system:

Category	Score
Low	0 - 50
Medium	51 - 75
High	76 - 99
Secure	100
N/A	Not Applicable

A category can show N/A scores if:

The Software Blade is not installed on the Security Management Server
The Security Gateway does not support the examined feature
You created a new Security Best Practice, but did not do a manual scan.
A Security Best Practice is not activated for your organization
A Security Best Practice cannot run because it is dependent on another Security Best Practice with a non-compliant status

Many Security Best Practices are binary: compliant or not.

Low = 0
Secure = 100

Other Security Best Practices calculate a score based on the degree of security compliance.

Security Gateways

This SmartDashboard pane shows Security Gateways and Security Gateway Clusters with the highest compliance scores, lowest compliance scores, or a predefined set of Favorites.

To see the Security Best Practice results for a Security Gateway, select it. The Gateways pane for the selected gateway opens.
To see the results for all gateways, click See All Gateways. The All Gateways window opens.

Domains

Note - This feature is supported in release R77.20 and higher.

This SmartDomain Manager pane shows Domains with the highest compliance scores, lowest compliance scores or a predefined set of Favorites.

Click See the security status for all Domains. Click See all Domains.

Blades

This pane shows the average scores for the five Software Blades with the most Security Best Practices. The results show in descending order by the number of Security Best Practices. To see Security Best Practice results for one Software Blade, click that blade. The Security Best Practices pane opens.

To see the results for all Software Blades, click More Details. The Security Best Practices pane opens. Group the results by Blade.

Regulatory Compliance

The Compliance Blade includes many predefined governmental and industry standards right out of the box. From release 77.20 and higher, you can also define Regulations and Regulatory standards. This functionality is useful to manage organizational or local regulatory agency requirements.

The Regulatory Compliance pane shows compliance statistics for selected regulatory standards, based on the Security Best Practice scan. This pane shows:

The total number of Regulatory Requirements that are monitored
The Number of Regulatory Requirements for each Regulation
The Average compliance score for each regulation shown

The number of regulatory standards shown is based on your screen resolution.

To select the regulatory standards to show:

Click the configuration icon in the top right corner of the pane.
In the Select Regulations and Standards window, select the standards to show in the Overview.

Note - If a regulatory standard is not selected in the Settings window, it is does not show in this widget.

To see the compliance score for all Regulatory Requirements, click See all Regulations. The All Regulatory Requirements window opens.

To see details of a standard, click the name of the standard in the Overview pane or in the All Regulatory Requirements window. The Regulatory Requirements pane for the selected standard opens.

Creating a User-Defined Security Best Practice

Note - This feature is supported in release R77.20 and higher.

You can define your own, custom Security Best Practices based on organizational security requirements. This release supports user-defined Security Best Practices only for Firewall rules. You define user-defined Security Best Practices in the SmartDashboard Compliance tab.

To define a new Security Best Practice:

In the Compliance tab > Security Best Practices pane, click New.
In the Best Practice Definition window, enter informational text in these fields:
- Name and Description for this Best Practice.
- Name and Description for the non-compliance Action Item generated by this best practice.
Note: In this version, you cannot change the Relevant Blade option. It is automatically set to FW.
In the Best Practice Rule Definition table, enter rule matching criteria in the table cells. Each cell matches one related field or parameter in Security Policy rules. A Security Best Practice match occurs when all table cells match one or more rules in the Rule Base (Logical AND).
- Hit Count - Select a Hit Count level. A match occurs when the Hit Count for a rule is equal to or exceeds the specified Hit Count level.
- Name - Select one of these match types:
  - Any - Matches all rules (default).
  - Blank - Matches all rules that do not have a name (null value).
  - Exact - Enter a text string. A match occurs when the rule name is the same as the specified string
  - Starts with - Enter a text string. A match occurs when the rule name starts with the specified string (case sensitive).
  - Ends with - Enter a text string. A match occurs when the rule name ends with the specified string (case sensitive).
  - Contains - Enter one or more text strings. A match occurs when a rule name contains the specified strings in the order you enter them (case sensitive).
- Source - Select one or more source objects. A match occurs when at least one of the specified objects are included in the Source field of a rule.
- Destination - Select one or more definition objects. A match occurs at least one more of the specified objects are included in the Destination field of the rule.
- VPN - Select one or more VPN communities. A match occurs when at least one of the specified VPN communities are included in a rule.
- Service - Select on or more services. A match occurs when at least one of the specified services are included in a rule.
- Action - Select one or more actions. A match occurs when at least one of the specified actions are included in a rule.
- Track - Select one or more tracking options. A match occurs when at least one of the specified tracking options are included in a rule.
- Install on - Select one or more Gateway, Cluster, or group objects. A match occurs when at least one of the specified objects are included the Install on field of a rule.
- Time - Select a time option that defines when the system enforces a rule. A match occurs when at least one specified time option is included in a rule.
- Comments - Select a match type:
  - Any - Matches all rules (default).
  - Blank - Matches all rules that do not contain text in the Comment field (null value).
  - Exact - Enter a text string. A match occurs when the Comment field in a rule is the same as the specified string
  - Starts with - Enter a text string. A match occurs when the Comment field in a rule starts with the specified string (case sensitive).
  - Ends with - Enter a text string. A match occurs when the Comment field in a rule ends with the specified string (case sensitive).
  - Contains - Enter one or more text strings. A match occurs when a rule name contains the specified strings in the order you enter them (case sensitive).
- Negate Cell - Right-click a cell to match all objects except the specified objects. This feature is not available for the Name and Comment cells.
  Note: If you use the Negate Cell option on a cell that contains the Any object, no match can occur. This is the same as a blank cell.
Optional: Click Advanced Settings to define these advanced scope parameters:
- Policy Range - Define the part of the Rule Base to scan for matches. There are two parameters:
  - Top or Bottom - Scan the top or bottom part of the Rule Base
  - Percentage - The percentage of the Rule Base to scan.
  For example, select Bottom 30% to scan 30% of the Rule Base starting from the bottom (last rule in the Rule Base).
- Last Hit Date greater than - Select to include only rules that have at least one hit on or after the specified time period. Select the number of time periods and the type of period.
  For example, select 2 Months to include only rules that have at least one hit during the last two months.
Define how Compliance Blade creates a violation (Action Item) when a Security Best Practice matches a rule.
- Rule found - A violation can occur when a rule matches the Security Best Practice (Default).
- Rule not found - A violation can occur when no rules match the Security Best Practice.
- Tolerance - A violation occurs when there are more that the specified number of matches (Default = 0). For example, if the tolerance is set to 0, the Compliance Blade creates a violation when the first match occurs. If the tolerance is set to 3, the Compliance Blade creates a violation when the fourth match.
  Note: The tolerance option applies only to the Rule found option.
Define when the Rule Index (Rule number) shows in the Relevant Objects pane.
You can configure custom Security Best Practices to show the Rule in specified circumstances. This lets you easily see which rules cause or prevent violations.
- Display rules that match - Shows Rules that match the specified criteria in a Security Best Practice.
- Display rules that don't match - Shows Rules that do not match the specified criteria in a Security Best Practice.
- Don't display rules - Does not show the Rule.
Click Save.

To see the status of your Security Best Practice, click Preview. This feature runs the new Security Best Practice and shows the results in a window.

To change an existing, user-defined Security Best Practice:

In the Compliance tab > Security Best Practices pane, double click a user-defined Security Best Practice.
In the Best Practice Definition window, change the parameters and settings as shown in the above procedure.
Click Save.

Messages and Action Items (SmartDashboard)

This pane shows the updated status of pending action items for your organization.

Overdue - Action items that are overdue.
Upcoming - Action items with due dates in the next 30 days.
Future - Action items with due dates of more than 30 days.
Unscheduled - Action items without defined due dates.

Note: We recommend that you resolve overdue action items immediately.

If you have a high resolution screen, the Alert and System messages show in the bottom section of the pane. Use the arrows to scroll through the messages.

If you have a low resolution screen, two buttons show in the bottom section of the pane.

To see alert messages, click Security Alerts. They open in the Overview pane.
To see messages about the Compliance Blade, click System Messages. They open in the Overview pane.

Using the Compliance Blade with Multi-Domain Security Management

Note - This feature is supported in release R77.20 and higher.

The Compliance Blade supports Multi-Domain Security Management Domains and is included as a tab in SmartDomain Manager. You can do these activities directly in SmartDomain Manager:

See and work with regulatory compliance status for each Domain. This is almost the same as working with Security Gateways in SmartDashboard.
Generate reports that show regulatory compliance for each Domain.
Enable and disable Regulations individually for each Domain.
Create user-defined Regulations and Regulatory Requirements.
Note: In a Multi-Domain Security Management environment, you must use SmartDomain Manager to do this. You cannot create user defined regulations with SmartDashboard.
Copy, import and export User-defined Regulatory Requirements.
Activate and deactivate Security Best Practice individually for each domain.

You must do these activities in the Domain SmartDashboard:

Create, delete or change user-defined Security Best Practices.
Work with messages and action items.

Searching, Grouping, Sorting

The Compliance Blade lets you search for text strings in many windows and panes. To search for a text string in enter a string in the search field at the top of the window or pane.

To search for values in a field, enter: field_name:string

To combine results into groups, select Blade or Status in the Grouping field.

To sort the results by values in field, click that field header.

Working with Alerts and System Messages

You use the Security Alerts and System Message pane to see Security Alerts generated when a configuration change causes compliance status degradation. You can also see messages that are automatically generated by the Compliance Blade.

To see the details of a system message, double-click it. The Security Alert Details window opens.

Working with Security Gateways

The Gateways pane shows compliance details for each Security Gateway, VSX Virtual System or cluster in your environment. Here you can see the results of each Security Best Practice related to the selected Security Gateway.

To work with Security Gateways:

Select the Gateways pane from the tree.
Select a Security Gateway or cluster.
The Gateway pane opens.

The top table shows the result of all Security Best Practices for the selected gateway:

Software Blade
ID - Compliance Blade ID assigned to the Security Best Practice.
Name - Security Best Practice name and brief description.
Status - Low, Medium, High, Secure, or N/A.

The bottom section shows one or more of these items:

Description - What the Best Practice looks for.
Action Item - Steps necessary to become secure.
Dependency - The selected Security Best Practice is dependent on a different Security Best Practice. If the result of this other Security Best Practice is not secure, the selected Security Best Practice does not run.
Relevant Objects - Objects related to the selected Security Best Practice and their status. (Shows when the selected Security Best Practice applies to specified objects.)
Relevant Regulatory Requirements - List of all regulatory standards that include the Security Best Practice that generated the selected action item.

Top of Page

Download Complete PDF

Send Feedback