Introduction

 

R82 Security Checkup - Quick Setup

 

Security Checkup takes Check Point’s PoCs into the next level. The tool generates a comprehensive security analysis report based on data within your organization.

It automatically integrates security events from different Software Blades: Application Control, URL Filtering, IPS, Anti-Virus, Anti-Bot, Zero Phishing, DLP and Threat Emulation.

The report provides a comprehensive security analysis that summarizes security events found, their potential risk and recommendations to remediate these risks.

Therefore, the information offered by the Security Checkup together with the in-house security processes and new enforcement requirements provide the first step for improving the security architecture of any kind of organization.

Gaia Quick Standalone Setup is suitable for quick deployment of pre-configured settings on Check Point appliances.

You can use it in production environments, for Security Checkup analysis, and for demos.

Quick Standalone Setup configures appliances as Check Point Standalone (Security Management Server and Security Gateway), with selected Software Blades pre-configured, and in Monitor Mode or in Bridge Mode.

Further information can be found here.

Important This method is supported only on Check Point appliances in a standalone deployment and is not supported on open servers

 

  • Shows the value of Check Point’s security strategy and the benefits provided by the Software Defined Protection Architecture.

  • Visualizes incidents that happen in customer networks, and gives practical recommendations.

  • Empowers you with knowledge of new security risks, and improves network security.

  • Gives an executive summary for discussion with management.

  • Gives detailed results for in-depth discussions with technical points of contact.

  • Out-of-the-box reports speed information delivery and accelerate the sales processes.

  • No risk to the network environment (Mirror Port used).

  • Fast & Easy appliance setup.

  • A user-friendly, web-based setup, ensuring a seamless and intuitive experience.

  • Most updated Checkup reports and views.

Notes

  1. Monitor mode does not allow us to change the traffic (we receive only duplication of the packets); therefore everything that is actively change traffic won’t work, as:

    • HTTPS Inspection

    • Proxy

  2. Monitor mode does support the following:

    • Stateless inspection

    • Passive inspection

    • Show our system for POC without risking the traffic

    Learn more via sk101670

  3. Monitoring traffic when working with VLANs:

    SPAN (local or remote) allows you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. You can create a SPAN session as Receive (Rx), Transmit (Tx) or Both. Make sure you do “Both”. SPAN does not interfere with the normal operation of the switch. However, an oversubscribed SPAN destination, for example, a 10 Mb/s port monitoring a 100 Mb/s port, can result in dropped or lost packets. The default configuration on Cisco for local SPAN session ports is to send all packets untagged. We can’t read tagged packets, so make sure the router/switch removes tags (if not Cisco). We don’t support the use of a trunk interface used as a source port for the SPAN port.

    If you don’t have Internet connection URL Filtering, Anti-bot, Cloud Threat Emulation won’t work.

    If you are using NAT Devices, Proxies (without x-forward-for header), Terminal Server, DNS Server, AD Controller etc. You will only see this device in the logs and not the Users/Servers behind.

 

Best Practice

  1. Please make sure to monitor the Wireless VLAN for mobile security checkup.

  2. If you want to use Threat Emulation, it is highly recommended to use the cloud emulation since it offers the most-updated detection capabilities and the highest amount of processing resources; nevertheless a local emulation is available via our Sandblast Appliances.

  3. If you have customer expecting many logs, it is recommended to have at least 16Gb of RAM on the Appliance (Note: most of the time SmartEvent have to start queries over millions of logs and the Appliance start to swap if you don`t have enough RAM. Resulting in poor end user experience during SmartEvent queries).

  4. Please review sk93000 for SMT (HyperThreading) feature for supported appliances & configuration.

  5. It’s recommended to install the latest Jumbo Hotfix Accumulator. For reference use - JHF for version R82.

  6. Create a snapshot on disk, after building and testing the appliance and before generating logs. You can use this snapshot for future check-ups.