Compliance Action Rules

Many of the Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Policy actions contain Action Rules that include these components:

Check Objects (Checks) - Check objects define the actual file, process, value, or condition that the Compliance component looks for.

One of these Action options - What happens when a computer violates the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

Action	Definition
Observe	Log endpoint activity without further action. Users do not know that they are non-compliant. Non-compliant endpoints show in the Observe state in the Reporting tab.
Warn	Alerts the user about non-compliance and automatically does the specified Remediation steps. Send a log entry to the administrator.
Restrict	Alerts the user about non-compliance and automatically does the specified Remediation steps. Send a log entry to the administrator. Changes applicable policies to the restricted state after a pre-defined number of heartbeats (default =5). Before this happens, the user is in the about to be restricted state. On the monitoring tab, the user is shown as pre-restricted.

Action

Definition

Observe

Log endpoint activity without further action. Users do not know that they are non-compliant. Non-compliant endpoints show in the Observe state in the Reporting tab.

Warn

Alerts the user about non-compliance and automatically does the specified Remediation steps.

Send a log entry to the administrator.

Restrict

Alerts the user about non-compliance and automatically does the specified Remediation steps.

Send a log entry to the administrator.

Changes applicable policies to the restricted state after a pre-defined number of heartbeats (default =5). Before this happens, the user is in the about to be restricted state. On the monitoring tab, the user is shown as pre-restricted.

One or more Remediation objects - A Remediation object runs a specified application or script to make the endpoint computer compliant. It can also send alert messages to users.

The Compliance component runs the rules. If it finds violations, it runs the steps for Remediation and does the Action in the rule.

Some Action Rules are included by default. You can add more rules for your environment.

Basic Workflow for defining additional compliance rules:

Click Policy > Access & Compliance > Compliance > Compliance Rulebase.
Click New Above or New Below to create new Action Rules as necessary:
1. In the Name field, enter the Action rule name.
2. Click Check to add Check objects to add to the Action Compliance Check Objects.
3. Select an Action from the list.
4. Click the Remediation tab to add Remediation objects to the Compliance Remediation Objects. If the selected Action is Observe, the rule does not require a Remediation object.
5. Optional: In the Comment field, enter a comment for the action rule.

Do these steps again to create additional Action rules as necessary.