Set Up Checkpoint Firewall Authentication

Checkpoint Firewall is a sub-type of Unix authentication. Create Checkpoint Firewall records to allow the service to authenticate to Checkpoint Firewall devices that support the SSH protocol (SSH1 and SSH2).

This record type is only available in accounts with PC or SCA and is only supported for compliance scans.

Which technologies are supported?

CheckPoint Gaia and SecurePlatform PRO operating systems:

- CheckPoint Gaia R75 and above

- CheckPoint SecurePlatform PRO R75 and above

Help me with record settings

How do I get started?

- Go to Scans > Authentication.

- Create a Checkpoint Firewall record for the host. Go to New > Network and Security > Checkpoint Firewall.

What login credentials are required?

1) The user account you provide for authentication must have administrative level privileges on the Checkpoint device in order to perform all checks, and must be able to execute these commands:

ver
expert (to switch to expert mode)
cpstat os

2) TCP port 22 must be open on the scan target for SSH authentication.

3) Your password must not include any spaces.

Expert Password option

If the "expert" command on the target host requires a password, then you must also provide the expert password in the record. (Note: The pooled credentials feature is not supported if the "expert" command requires a password and the password is specified.)

Clear Text Password option

Select to allow your user account password to be transmitted in clear text when connecting to services which do not support strong password encryption. Learn more about Clear Text password

Well Known Ports vs. Custom Ports

The scanning engine needs to find login services in order to successfully authenticate to Unix/Cisco/Checkpoint Firewall hosts and perform compliance assessment. By default, these well-known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on well-known ports for the hosts you will be scanning, then you must define a custom ports list.

Note - The actual ports scanned also depends on the Ports setting in the compliance option profile used at scan time.

Learn more about scanned ports

If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record.

If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports).

Refer to the table below:

Compliance Profile	Authentication Record	Ports Scanned
Standard Scan	Well Known Ports	~1900 Ports (includes Ports 22, 23, 513)
Standard Scan	Custom Ports	~1900 Ports + Custom Ports in record
Targeted Scan	Well Known Ports	Ports 22, 23 and 513 only
Targeted Scan	Custom Ports	Custom Ports in record only

Which IPs should I add to my record?

Select the target hosts (IPs) to authenticate to. The IPs you include in this record cannot also be included in a Unix or Cisco record.

Want to access the account password from your password vault?

For Checkpoint Firewall, we support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record, select your vault name and make vault settings. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.

Vault Configuration for Compliance Scans

You must configure the user account in such a way that the "expert" command enters the privileged shell automatically without prompting for a 2nd password. This is because the supported vaults only store a single password in a file.

Important Notes for Unit Managers

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.