Set Up Checkpoint Firewall Authentication

Checkpoint Firewall is a sub-type of Unix authentication. Create Checkpoint Firewall records to allow the service to authenticate to Checkpoint Firewall devices that support the SSH protocol (SSH1 and SSH2).

This record type is only available in accounts with PC or SCA and is only supported for compliance scans.

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article: 

Authentication Technologies Matrix

 

- Go to Scans > Authentication.

- Create a Checkpoint Firewall record for the host. Go to New > Network and Security > Checkpoint Firewall.

1) The user account you provide for authentication must have administrative level privileges on the Checkpoint device in order to perform all checks, and must be able to execute these commands:

ver
expert (to switch to expert mode)
cpstat os

2) TCP port 22 must be open on the scan target for SSH authentication.

3) Your password must not include any spaces.

If the "expert" command on the target host requires a password, then you must also provide the expert password in the record. (Note: The pooled credentials feature is not supported if the "expert" command requires a password and the password is specified.)

Select to allow your user account password to be transmitted in clear text when connecting to services which do not support strong password encryption. Learn more about Clear Text password

The scanning engine needs to find login services in order to successfully authenticate to Unix/Cisco/Checkpoint Firewall hosts and perform compliance assessment. By default, these well-known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on well-known ports for the hosts you will be scanning, then you must define a custom ports list.

Note - The actual ports scanned also depends on the Ports setting in the compliance option profile used at scan time.

Learn more about scanned portsLearn more about scanned ports

If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record.

If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports).

Refer to the table below:

Compliance Profile

Authentication Record

Ports Scanned

Standard Scan

Well Known Ports

~1900 Ports (includes Ports 22, 23, 513)

Standard Scan

Custom Ports

~1900 Ports + Custom Ports in record

Targeted Scan

Well Known Ports

Ports 22, 23 and 513 only

Targeted Scan

Custom Ports

Custom Ports in record only

Select the target hosts (IPs) to authenticate to. The IPs you include in this record cannot also be included in a Unix or Cisco record.

For Checkpoint Firewall, we support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record, select your vault name and make vault settings. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.

Vault Configuration for Compliance Scans

You must configure the user account in such a way that the "expert" command enters the privileged shell automatically without prompting for a 2nd password. This is because the supported vaults only store a single password in a file.

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.

 

Quick Links

Why use host authentication

Vault Support Matrix

Tip The password you provide for authentication must not include any spaces.