Introduction

R82 Security Checkup Blink Image

A Check Point Security Checkup report is a comprehensive security analysis report based on data within your organization. It automatically integrates security events from different Software Blades: Application Control, URL Filtering, IPS, Anti-Virus, Anti-Bot, Zero Phishing ,DLP and Threat Emulation.

The Security Checkup Report accentuates Check Point Added Value, exposing security risks and suggesting remediation. When a Check Point Security Gateway runs in a PoC environment, inline or Mirror Port, we gain an insight into the activity on the network and will generate logs and security events for the activated Software Blades.

The report gives a comprehensive security analysis that summarizes security events, their risks, and their remediation actions. Therefore, the information offered by the Security Checkup together with the in-house security processes and new enforcement requirements provide the first step for improving the security architecture of any kind of organization.

Further information can be found here.

The goal of Security Checkup - Blink Image is to make the setup process fast and easy for Check Point’s partners and security engineers. This Blink image allows users fast and easy deployment of cleanly installed Check Point Security Gateways and Management or standalone. Upon completion of the deployment process, user gets a cleanly installed server (with completed First Time Configuration Wizard), desired Hotfixes, activated blades, pre-configured environment for checkup purposes and updated signatures for Software Blade installed.

  • Shows the value of Check Point’s security strategy and the benefits provided by the Software Defined Protection Architecture.

  • Visualizes incidents that happen in customer networks, and gives practical recommendations.

  • Empowers you with knowledge of new security risks, and improves network security.

  • Gives an executive summary for discussion with management.

  • Gives detailed results for in-depth discussions with technical points of contact.

  • Out-of-the-box reports speed information delivery and accelerate the sales processes.

  • Supports customization for specialized reports focused on customer challenges.

  • Fast & Easy appliance setup.

  • Preconfigured environment for Security Checkup purposes.

  • Most updated Checkup reports and views.

Notes

  1. Monitor mode does not allow us to change the traffic (we receive only duplication of the packets); therefor everything that is actively change traffic won’t work, as:

    1. HTTPS Inspection

    2. Proxy

  2. Monitor mode does support the following:

    1. Stateless inspection

    2. Passive inspection

    3. Show our system for POC without risking the traffic

    Learn more via sk101670

  3. Monitoring traffic when working with VLANs:

    SPAN (local or remote) allows you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. You can create a SPAN session as Receive (Rx), Transmit (Tx) or Both. Make sure you do “Both”. SPAN does not interfere with the normal operation of the switch. However, an oversubscribed SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or lost packets. The default configuration on Cisco for local SPAN session ports is to send all packets untagged. We can’t read tagged packets, so make sure the router/switch removes tags (if not Cisco). We don’t support the use of a trunk interface used as a source port for the SPAN port.

  4. If you don’t have Internet connection URL Filtering, Anti-bot, Cloud Threat Emulation won’t work.

  5. If you are using NAT Devices, Proxies (without x-forward-for header), Terminal Server, DNS Server, AD Controller etc. You will only see this device in the logs and not the Users/Servers behind.

Best Practice

  1. Please make sure to monitor the Wireless VLAN for mobile security checkup.

  2. If you want to use Threat Emulation, it is highly recommended to use the cloud emulation since it offers the most-updated detection capabilities and the highest amount of processing resources; nevertheless a local emulation is available via our Sandblast Appliances.

  3. If you have customer expecting many logs, it is recommended to have at least 16Gb of RAM on the Appliance (Note: most of the time SmartEvent have to start queries over millions of logs and the Appliance start to swap if you don`t have enough RAM. Resulting in poor end user experience during SmartEvent queries).

  4. Please review sk93000 for SMT (HyperThreading) feature for supported appliances & configuration.

  5. It’s recommended to install the latest jumbo hotfix accumulator.

  6. Create a snapshot on disk, after building and testing the appliance and before generating logs. You can use this snapshot for future check-ups.
For any question, please contact sc@checkpoint.com