3.1 Enable the Firewall Stealth Rule

Information

Create a rule to drop Any Service from Any Source or Any VPN that attempts to connect to the gateway.

Rationale:

The stealth rule will limit access to the gateway to the control and service connections enabled as part of the design. As such, it is very important to enable access to the gateway as its role changes, for example, become a client VPN gateway. Another common example is enabling Client Authentication. If ports TCP 259 and 900 are not opened (or if you change the ports in the conf file), access will not work. Organizations with many Check Point gateways may want to document each gateway and the Check Point services it is intended and configured to accept.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Login to the Management Server via SmartDashboard and create or edit the stealth rule, allowed only required IP address to manage the gateway and make sure it is on top of all rules.

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CSCv7|11.7

Plugin: CheckPoint

Control ID: 58fb86f6db7268e99119b8b772eacc2e3af75f8af96c380ab251965c85247e85