Check Point – Remote Auditing

 

Remotely auditing Check Point R80 devices with Nipper

 

Note: The Raw Tracking Change audit can be inaccurate due to Check Point R80 using SID’s and UID’s which can change after every audit.

 

Requirements: Check Point Smart Console

Before remotely auditing the Check Point device you must enable the Management API access settings.

 

To enable Management API access settings:

 

  1. Open Check Point Smart Console

  2. Navigate to the Manage & Settings page

  3. Select the Blades tab

  4. Navigate to Management API and select Advanced Settings

  5. Select Automatic Start

  6. Choose between the 3 options available in the Access Settings based on your preference for allowing Nipper obtain a configuration from this device.

  7. Now that the Management API is accessible, open Nipper and select New Report. When prompted with the New Report window, select Add Network

  8. An Add Remote Config window should appear. Select Check Point as the Name and R80 as the Version for the Device Type. The Device Details should contain the IP Address/Hostname, Username, and Password of your Check Point device.

  9. Click Add once the Add Remote Config window has been populated with the correct details.

  10. Next, a dialog box will appear displaying details on Nipper retrieving a configuration from the Check Point device. After successfully retrieving the configuration from the Check Point device, the device should now appear in the New Report window. Click Next to proceed to the Reporting Options tab.

  11. Select the types of audits to run against the Check Point configuration and then click Next.

  12. After selecting the audit types, a Policy Collection Audit Selection window should appear. Select the policies which need to be included in this audit and then click Next.

  13. After selecting the policies to audit, a Device Audit Selection window can appear based on if the management gateway manages any other device. Select the devices that should be included in the audit alongside the main management gateway and then click Next.

  14. Finally, a window displaying the audit progress should appear followed by the full audit report of the Check Point device.


Remotely auditing Check Point Legacy devices with Nipper

 

Purpose: To explain how to audit a Check Point device using Nipper remotely;

Scope: This method will work with all Check Point devices and with a Check Point management system. We describe how to set up your device using Check Point SmartDashboard, which is the recommended method. At the time of writing, this functionality is supported in Nipper for Windows and CentOS, with further Linux distributions receiving support shortly. Mac is not presently supported;

Additional Software required - Check Point SmartDashboard - https://www.checkpoint.com/

 

 


 

Configure your Check Point device(s)

Before you can retrieve the Check Point device configuration, you will need to make some changes to your Check Point device in order to allow Nipper to connect to it.

You will need to have Check Point SmartDashboard installed on your workstation.

  1. Log in to the device (or Management System) that you want to audit using Check Point SmartDashboard and then click the Firewall tab.

  2. On the left hand pane of SmartDashboard select the Servers and OPSEC Applications tab – see below.

  3. Right-click on OPSEC Applications then select New > OPSEC Application… Doing so will display the following OPSEC Application Properties screen.

  1. Name can be whatever you choose. We used Nipper_Studio (note the lack of space; object names cannot contain spaces).

  2. Add a Comment if you wish – this may make it easier while auditing as the OPSEC application just creates an object on the firewall.

  3. The Host needs to have the IP address of the machine you are using for your Nipper audits which has Nipper installed on it. If you have already defined such a host, it will appear in the drop down menu, otherwise you will need to create a new one now using the New… button, which will bring up the following screen:


  1. Enter the relevant details as indicated.

  2. Returning to the OPSEC Application Properties dialogue box, you will now have details for Name, Host and optionally Comment and Color. Vendor should be left as User defined.

  3. In Client Entities check CPMI, do not select OK yet.


 

Initialize trust relationship

  1. Click on the Communication button, as below:

  2. This will bring up the following dialogue:

  3. What we are doing here is creating the certificate used to authenticate the trust relationship. Enter and confirm the One-time password – you will need to remember this password.

  4. Once you have done this, press the Initialize button. You will see the Trust state changed to Initialized, but trust not established, as below:

  5. You can now close this dialogue, then click OK on the OPSEC Application Properties screen. Save the changes you have made by clicking the disk icon on the SmartDashboard toolbar.

  6. You have now completed the work you need to do on your Check Point device. The new OPSEC Application object will be visible in the left hand pane.

 

Establish trust relationship

  1. Return to your Nipper computer and run Nipper.

  2. Go to New Report, and from the New Report dialogue, select Add Network:

  3. This will bring up the following Add Remote Config window:

  4. From the Name dropdown box, select Check Point and the Version dropdown box, select Legacy. This will alter the Add Remote Config window as follows:

  5. On the Device drop down box, select New… (Successfully added devices will appear here when you return to this screen later).

  6. Add the Host Address of the Check Point device and its Username and Password.

  7. Then click on Get Certificate. You will be prompted to enter the Application Object Name and your One-Time Password, as set above.

  8. This will establish the trust relationship. This need only be done once per host machine.

 

Remotely retrieve and audit device(s) configuration

  1. Leave the port as default and click Add. The following progress dialogue will be displayed:

  2. Once complete the success message will be configuration will be imported as follows:

  3. Your Check Point configuration will be imported into Nipper and the audit will begin.

 

Check Point configuration retrieval via the CLI

Please also see the Nipper CLI Guide, if required.

You can also use the CLI to establish the trust relationship and to connect and get you Check Point Firewall configuration.

To do so, you can specify a remote device by using the --remote-device parameter, which takes the IP address of you Check Point firewall as the argument.

You will then need to add the following options, --Check Point, which specifies this is a remote Check Point device, --username, which is the administrative username for the device, --password, which is the corresponding password, and finally -- objectname, which is the name of the object that you specified when setting up the Check Point Firewall.

If you have yet to get the certificate from the device you will be prompted to continue, and then to enter the one-time password, otherwise Nipper will carry on and retrieve the configuration.

You can add additional arguments to the command line, just like normal, and Nipper will process them, the Check Point device (assuming the configuration was retrieved successfully) will be treated like any other device that might have been specified.

The below images demonstrate using the command line on Windows. For Linux, the commands and options are the same.