Checkpoint Firewall is a sub-type of Unix authentication. Create Checkpoint Firewall records to allow the service to authenticate to Checkpoint Firewall devices that support the SSH protocol (SSH1 and SSH2).
This record type is only available in accounts with PC or SCA and is only supported for compliance scans.
For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:
Authentication Technologies Matrix
|
Help me with record settings |
|||||||||||||||
|
How do I get started?How do I get started? - Go to Scans > Authentication. - Create a Checkpoint Firewall record for the host. Go to New > Network and Security > Checkpoint Firewall. |
|||||||||||||||
|
What login credentials are required?What login credentials are required? 1) The user account you provide for authentication must have administrative level privileges on the Checkpoint device in order to perform all checks, and must be able to execute these commands: ver 2) TCP port 22 must be open on the scan target for SSH authentication. 3) Your password must not include any spaces. |
|||||||||||||||
|
Expert Password optionExpert Password option If the "expert" command on the target host requires a password, then you must also provide the expert password in the record. (Note: The pooled credentials feature is not supported if the "expert" command requires a password and the password is specified.) |
|||||||||||||||
|
Clear Text Password optionClear Text Password option Select to allow your user account password to be transmitted in clear text when connecting to services which do not support strong password encryption. Learn more about Clear Text password |
|||||||||||||||
|
Well Known Ports vs. Custom PortsWell Known Ports vs. Custom Ports The scanning engine needs to find login services in order to successfully authenticate to Unix/Cisco/Checkpoint Firewall hosts and perform compliance assessment. By default, these well-known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on well-known ports for the hosts you will be scanning, then you must define a custom ports list. Note - The actual ports scanned also depends on the Ports setting in the compliance option profile used at scan time. Learn more about scanned portsLearn more about scanned ports If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record. If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports). Refer to the table below:
|
|||||||||||||||
|
Which IPs should I add to my record?Which IPs should I add to my record? Select the target hosts (IPs) to authenticate to. The IPs you include in this record cannot also be included in a Unix or Cisco record. |
|||||||||||||||
|
For Checkpoint Firewall, we support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record, select your vault name and make vault settings. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault. Vault Configuration for Compliance Scans You must configure the user account in such a way that the "expert" command enters the privileged shell automatically without prompting for a 2nd password. This is because the supported vaults only store a single password in a file. |
|||||||||||||||
|
Important Notes for Unit ManagersImportant Notes for Unit Managers When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager. |
The password you provide for authentication must not include any spaces.