Check Point Firewall Security Policy Audit
Policy-audit-driven analysis of Check Point Security Gateway policies. Unlike
generic firewall checklists that check for open ports and default-deny, this
skill evaluates the Check Point-specific security architecture: rulebase
ordered and inline layers, Software Blade activation coverage, management
plane trust (SIC), and the Unified Policy model introduced in R80+.
Covers R80.x and R81.x gateways managed via SmartConsole connected to a
Security Management Server or Multi-Domain Server (MDS). Reference
references/policy-model.md for the R80+ architecture and layer model,
and references/cli-reference.md for read-only CLI and API commands.
When to Use
- - Rulebase layer review after rule additions or layer restructuring
- Blade activation audit verifying that licensed blades are enabled on all gateways
- Annual or quarterly compliance audit requiring per-rule justification
- Post-incident rulebase assessment to identify how traffic was permitted
- SmartConsole management plane validation — SIC trust, log server connectivity
- Multi-Domain (MDS) domain isolation audit for MSSP or multi-tenant environments
- NAT policy review after network re-addressing or migration
- Pre-upgrade rulebase baseline before R80.x → R81.x migration
- Identity awareness assessment — verifying AD integration and access role coverage
Prerequisites
- - Read-only administrator access to SmartConsole or Management Server API (
mgmt_cli / Web API) - SSH access to the Security Gateway for
fw, cpstat, and cpview commands (Expert mode) - Understanding of the management architecture — Management Server, Log Server, and Security Gateway relationships
- Knowledge of expected blade activation per gateway — which blades should be enabled where
- For MDS environments: domain-level access with visibility into each managed domain
- Policy installed — audit evaluates the installed policy, not the SmartConsole staging session
Procedure
Follow this audit flow sequentially. Each step builds on prior findings.
The procedure moves from management architecture through rulebase layer
analysis to blade activation, NAT, identity, and compliance verification.
Step 1: Management Architecture Inventory
Map the management plane topology.
CODEBLOCK0
Record: Management Server hostname and version, Log Server(s), Security
Gateway(s) with version and SIC status. In MDS environments, list all
domains and their assigned gateways.
Verify SIC trust between Management Server and each gateway:
CODEBLOCK1
SIC (Secure Internal Communication) trust must be established for policy
installation and log forwarding. A gateway with SIC status other than
"Trust established" cannot receive policy updates — stale policy is a
Critical finding.
For Multi-Domain deployments, verify domain isolation:
CODEBLOCK2
Each domain should be an independent management container. Cross-domain
policy leakage indicates architecture misconfiguration.
Check Management Server disk space and health — a full log partition
prevents logging:
CODEBLOCK3
Step 2: Rulebase Layer Analysis
R80+ uses a Unified Policy model with ordered layers. Each layer is an
independent rulebase evaluated sequentially.
CODEBLOCK4
Retrieve each access layer and evaluate:
- - Layer structure: Ordered layers evaluate top-to-bottom. Each layer
must independently reach a decision (Accept/Drop/Reject) for the traffic,
or the traffic is implicitly dropped. An inline layer is embedded within
a rule in a parent layer — it sub-divides that rule's match.
- - Rule ordering within layers: First-match evaluation. Rules within a
layer are evaluated top-down; the first matching rule is applied.
- - Implicit rules: Check Point inserts implicit rules controlled by
Global Properties. Key implicit rules include:
- Accept control connections (Management, logging)
- Accept outgoing from gateway
- Cleanup rule (default drop at bottom)
- Stealth rule (protect the gateway itself — must be explicitly added)
- - Disabled rules: Rules with
enabled: false consume rulebase space
but do not evaluate. Flag for cleanup.
- - Rule hit counts: Identify rules with zero hits over 90+ days as
cleanup candidates. Hit counts are available via SmartConsole or API.
- - Overly permissive rules: Rules with Source=Any, Destination=Any,
Service=Any, Action=Accept are Critical — they permit all traffic
within the layer.
CODEBLOCK5
Use details-level full to retrieve source, destination, service, action,
track, and profile bindings for each rule.
Step 3: Blade Activation Audit
Check Point Software Blades provide security functions. Each blade must be
licensed and enabled per gateway.
CODEBLOCK6
Verify activation status for each blade on every gateway:
| Blade | Function | Expected On |
|---|
| Firewall | Stateful packet inspection | All gateways |
| IPS |
Intrusion prevention signatures | Internet-facing gateways |
| Application Control | Application identification and enforcement | Internet-facing gateways |
| URL Filtering | URL categorization and blocking | Gateways with user web traffic |
| Anti-Bot | Bot C2 communication detection | All gateways |
| Anti-Virus | File-based malware scanning | All gateways |
| Threat Emulation | Sandbox analysis for unknown files | Internet-facing gateways |
| Threat Extraction | Content disarm and reconstruction | Email/download gateways |
| Content Awareness | Data visibility and DLP | Gateways handling sensitive data |
| HTTPS Inspection | TLS decryption for content inspection | Internet-facing gateways |
Compare licensed blades (contract entitlement) against enabled blades.
Licensed but disabled blades represent undeployed security capability.
Enabled but unlicensed blades will stop functioning on license expiry.
CODEBLOCK7
Check Threat Prevention profiles assigned to rules — blades are only
effective when both enabled on the gateway AND referenced in policy rules
via a Threat Prevention profile.
Step 4: NAT Policy Review
Check Point supports two NAT methods: Automatic NAT (per-object) and
Manual NAT (explicit rulebase).
CODEBLOCK8
Evaluate NAT policy:
- - Automatic NAT rules: Defined on network objects (host, network,
address range). Check Point generates NAT rules automatically based on
object NAT settings. Review each object's NAT configuration.
- - Manual NAT rules: Explicit rules in the NAT rulebase, evaluated
top-down before automatic rules. Review rule ordering for conflicts.
- - NAT method: Hide NAT (many-to-one PAT) vs Static NAT (one-to-one).
Static NAT on internal servers should have corresponding security rules
restricting access to required services only.
- - NAT rule ordering: Manual rules evaluate before Automatic rules.
Within each section, rules evaluate top-down. Conflicting rules in
manual section override automatic NAT.
Verify that NAT does not expose internal addressing or create unintended
access paths. Cross-reference static NAT entries with security policy rules.
Step 5: Identity Awareness and Access Role Assessment
If Identity Awareness blade is enabled, evaluate the identity integration.
CODEBLOCK9
Check:
- - Identity sources: Active Directory integration (AD Query or Identity
Collector), RADIUS accounting, Terminal Servers agent, captive portal,
Remote Access VPN identity. Verify connectivity to each source.
- - Access roles in security rules: Access roles combine user/group
identity with machine identity. Rules referencing access roles require
functioning identity sources — if AD connectivity fails, identity-based
rules cannot match, and traffic falls to non-identity rules.
- - Identity agent deployment: Check whether Identity Agent or Captive
Portal covers all user segments. Gaps in identity collection mean those
users match rules as "unknown user."
- - Identity sharing: In MDS or distributed environments, verify identity
information is shared between gateways that need it.
Step 6: Log and Compliance Verification
Verify log infrastructure and compliance monitoring.
CODEBLOCK10
Check:
- - Log Server connectivity: Verify each gateway can forward logs to the
Log Server. Check for log gaps that indicate connectivity interruptions.
- - Log completeness: Rules with Track=None produce no log entries.
Identify security-relevant rules without logging — at minimum, all Drop
and Reject rules should log.
- - SmartEvent correlation: If SmartEvent is deployed, verify correlation
policy is active and generating events from security logs.
- - Compliance blade: If enabled, verify compliance checks are running
and review the latest compliance report for failed checks.
CODEBLOCK11
Verify Threat Prevention signature databases are current:
| Database | Maximum Age | Check |
|---|
| IPS signatures | 7 days | INLINECODE8 |
| Application Control DB |
7 days |
cpstat appi |
| Anti-Bot signatures | 24 hours |
cpstat antimalware |
| Anti-Virus signatures | 24 hours |
cpstat antimalware |
| URL Filtering DB | 7 days |
cpstat urlf |
Threshold Tables
Policy Rule Severity Classification
| Finding | Severity | Rationale |
|---|
| Source=Any, Destination=Any, Service=Any, Action=Accept | Critical | Fully open rule — permits all traffic within the layer |
| Gateway SIC trust not established |
Critical | Gateway cannot receive policy updates; running stale policy |
| Licensed blades not enabled on internet-facing gateway | High | Purchased security capability not deployed |
| Rule with Action=Accept and no Threat Prevention profile | High | Traffic passes without IPS, Anti-Bot, or AV inspection |
| HTTPS Inspection not enabled on internet-bound traffic | High | Encrypted traffic bypasses content inspection blades |
| Threat Prevention signatures >7 days old | High | Detection gap for recently discovered threats |
| Missing Stealth rule (no rule protecting gateway itself) | High | Gateway management plane exposed to data-plane traffic |
| Manual NAT rule conflicts with Automatic NAT | Medium | Unexpected NAT behavior; traffic may not translate as intended |
| Rules with zero hit count >90 days | Medium | Unused rules — cleanup candidates |
| Disabled rules in production layer | Medium | Audit confusion; stale configuration |
| Track=None on Drop/Reject rule | Medium | Security-relevant denied traffic not logged |
| Identity Awareness source connectivity failure | Medium | Identity-based rules unable to match users; fallback behavior |
| Log Server connectivity intermittent | Medium | Log gaps reduce incident investigation capability |
| Implicit cleanup rule handling all denied traffic | Low | Expected behavior, but verify logging is enabled |
Blade Activation Maturity
| Coverage | Maturity | Guidance |
|---|
| All licensed blades enabled + profiles in policy | Mature | Maintain; review profile settings quarterly |
| Blades enabled but profiles not referenced in rules |
Developing | Bind Threat Prevention profiles to all Accept rules |
| Licensed blades not enabled | Immature | Enable blades and create Threat Prevention profiles |
Decision Trees
Overly Permissive Rule Remediation
CODEBLOCK12
Blade Gap Remediation
CODEBLOCK13
Report Template
CODEBLOCK14
Troubleshooting
Large Rulebases Spanning Multiple Layers
Auditing rulebases with hundreds of rules across multiple ordered layers
is impractical via SmartConsole alone. Use the Management API to export
all layers programmatically:
mgmt_cli show access-rulebase name "<layer>" details-level full --format json -r true
Iterate over all layers and merge into a single dataset for automated
shadow detection, profile gap analysis, and hit count review.
Multi-Domain Server (MDS) Audits
In MDS deployments, each domain is an isolated management container. The
auditor must connect to each domain separately (or use the MDS-level API
with domain context). Policy in one domain does not affect another — but
verify that cross-domain traffic paths have consistent policies on both
domain gateways.
Policy Installation Failures
If a gateway shows "Policy out of date" in SmartConsole, the running policy
may not match the current rulebase. Use fw stat on the gateway to see
the installed policy name and timestamp. Compare with SmartConsole to
identify the delta. Audit findings should be based on the installed policy,
not the pending session.
SecureXL and CoreXL Impact on Inspection
SecureXL accelerates traffic by bypassing full inspection for established
sessions. Some blades (especially IPS and Threat Emulation) require traffic
to pass through the Firewall kernel (Medium Path or Firewall Path), not
the accelerated path. Verify SecureXL template status:
fwaccel stat and fwaccel templates -S
Templates that match security-sensitive traffic and bypass blade inspection
are a finding.
ClusterXL and VSX Considerations
In ClusterXL (HA) deployments, verify both members run the same policy
version and software release. In VSX (Virtual System Extension) deployments,
each virtual system has independent policy — audit each VS separately.
Use vsx stat -v to list virtual systems.
Check Point 防火墙安全策略审计
基于策略审计驱动的Check Point安全网关策略分析。与检查开放端口和默认拒绝的通用防火墙检查清单不同,此技能评估Check Point特定的安全架构:规则库有序层和内联层、软件刀片激活覆盖范围、管理平面信任(SIC)以及R80+中引入的统一策略模型。
涵盖通过连接到安全管理服务器或多域服务器(MDS)的SmartConsole管理的R80.x和R81.x网关。参考references/policy-model.md了解R80+架构和层模型,参考references/cli-reference.md了解只读CLI和API命令。
何时使用
- - 添加规则或重组层后的规则库层审查
- 刀片激活审计,验证所有网关上已启用已授权的刀片
- 需要逐条规则说明的年度或季度合规审计
- 事件后规则库评估,以确定流量是如何被允许的
- SmartConsole管理平面验证 — SIC信任、日志服务器连接
- 面向MSSP或多租户环境的多域(MDS)域隔离审计
- 网络重新寻址或迁移后的NAT策略审查
- R80.x → R81.x迁移前的升级前规则库基线
- 身份感知评估 — 验证AD集成和访问角色覆盖范围
前提条件
- - 对SmartConsole或管理服务器API(mgmt_cli / Web API)具有只读管理员访问权限
- 对安全网关具有SSH访问权限,以执行fw、cpstat和cpview命令(专家模式)
- 了解管理架构 — 管理服务器、日志服务器和安全网关之间的关系
- 了解每个网关预期的刀片激活情况 — 哪些刀片应在何处启用
- 对于MDS环境:具有域级访问权限,并能查看每个受管域
- 策略已安装 — 审计评估已安装的策略,而非SmartConsole暂存会话
操作步骤
按顺序执行此审计流程。每个步骤都基于之前的发现。该流程从管理架构开始,经过规则库层分析,再到刀片激活、NAT、身份和合规性验证。
步骤1:管理架构清单
映射管理平面拓扑。
cpstat mg
mgmt_cli show gateways-and-servers --format json -r true
记录:管理服务器主机名和版本、日志服务器、安全网关及其版本和SIC状态。在MDS环境中,列出所有域及其分配的网关。
验证管理服务器与每个网关之间的SIC信任:
cpstat sic
fw stat
必须建立SIC(安全内部通信)信任,才能进行策略安装和日志转发。SIC状态不是信任已建立的网关无法接收策略更新 — 过时策略是关键发现。
对于多域部署,验证域隔离:
mdsstat
每个域应是一个独立的管理容器。跨域策略泄漏表明架构配置错误。
检查管理服务器磁盘空间和运行状况 — 日志分区已满会阻止日志记录:
cpstat os -f disk
cpview
步骤2:规则库层分析
R80+使用具有有序层的统一策略模型。每个层都是一个按顺序评估的独立规则库。
mgmt_cli show access-rulebase name Network --format json -r true
检索每个访问层并进行评估:
- - 层结构: 有序层从上到下评估。每个层必须独立地对流量做出决定(接受/丢弃/拒绝),否则流量将被隐式丢弃。内联层嵌入在父层的规则中 — 它细分了该规则的匹配条件。
- 层内规则排序: 首匹配评估。层内的规则从上到下评估;应用第一个匹配的规则。
- 隐式规则: Check Point插入由全局属性控制的隐式规则。关键隐式规则包括:
- 接受控制连接(管理、日志记录)
- 接受来自网关的出站流量
- 清理规则(底部的默认丢弃)
- 隐身规则(保护网关本身 — 必须显式添加)
- - 已禁用规则: enabled: false的规则占用规则库空间但不进行评估。标记为清理。
- 规则命中计数: 识别90天以上零命中的规则作为清理候选。命中计数可通过SmartConsole或API获取。
- 过于宽松的规则: 源=任意、目标=任意、服务=任意、操作=接受的规则是关键 — 它们允许该层内的所有流量。
mgmt_cli show access-rulebase name Network details-level full --format json -r true
使用details-level full检索每条规则的源、目标、服务、操作、跟踪和配置文件绑定。
步骤3:刀片激活审计
Check Point软件刀片提供安全功能。每个刀片必须在每个网关上获得授权并启用。
cpstat blades
cpstat fw
验证每个网关上每个刀片的激活状态:
| 刀片 | 功能 | 预期启用位置 |
|---|
| 防火墙 | 状态数据包检测 | 所有网关 |
| IPS |
入侵防御签名 | 面向互联网的网关 |
| 应用控制 | 应用识别和强制 | 面向互联网的网关 |
| URL过滤 | URL分类和阻止 | 有用户Web流量的网关 |
| 反僵尸网络 | 僵尸网络C2通信检测 | 所有网关 |
| 防病毒 | 基于文件的恶意软件扫描 | 所有网关 |
| 威胁仿真 | 未知文件的沙箱分析 | 面向互联网的网关 |
| 威胁提取 | 内容解除和重建 | 电子邮件/下载网关 |
| 内容感知 | 数据可见性和DLP | 处理敏感数据的网关 |
| HTTPS检查 | 用于内容检查的TLS解密 | 面向互联网的网关 |
比较已授权刀片(合同权益)与已启用刀片。已授权但禁用的刀片代表未部署的安全能力。已启用但未授权的刀片将在授权到期后停止运行。
cpstat licenseStat
cplic print
检查分配给规则的威胁防护配置文件 — 只有当刀片在网关上启用并且在策略规则中通过威胁防护配置文件引用时,刀片才有效。
步骤4:NAT策略审查
Check Point支持两种NAT方法:自动NAT(按对象)和手动NAT(显式规则库)。
mgmt_cli show nat-rulebase --format json -r true
评估NAT策略:
- - 自动NAT规则: 在网络对象(主机、网络、地址范围)上定义。Check Point根据对象NAT设置自动生成NAT规则。审查每个对象的NAT配置。
- 手动NAT规则: NAT规则库中的显式规则,在自动规则之前从上到下评估。审查规则排序是否存在冲突。
- NAT方法: 隐藏NAT(多对一PAT)与静态NAT(一对一)。内部服务器上的静态NAT应有相应的安全规则,仅限制对所需服务的访问。
- NAT规则排序: 手动规则在自动规则之前评估。在每个部分内,规则从上到下评估。手动部分中的冲突规则会覆盖自动NAT。
验证NAT不会暴露内部寻址或创建意外的访问路径。交叉引用静态NAT条目与安全策略规则。
步骤5:身份感知和访问角色评估
如果启用了身份感知刀片,请评估身份集成。
pdp status stat
mgmt_cli show access-roles --format json -r true
检查:
- - 身份源: Active Directory集成(AD查询或身份收集器)、RADIUS计费、终端服务器代理、强制门户、远程访问VPN身份。验证与每个源的连接。
- 安全规则中的访问角色: 访问角色将用户/组身份与机器身份相结合。引用访问角色的规则需要正常工作的身份源 — 如果AD连接失败,基于身份的规则无法匹配,流量将回退到非身份规则。
- 身份代理部署: 检查身份代理或强制门户是否覆盖所有用户段。身份收集中的缺口意味着这些用户将作为未知用户匹配规则。
- 身份共享: 在MDS或分布式环境中,验证身份信息在需要它的网关之间共享。
步骤6:日志和合规性验证
验证日志基础设施和合规性监控。
cpstat logging
fw log -t
检查:
- - 日志服务器连接: 验证每个网关可以将日志转发到日志服务器。检查指示连接中断的日志缺口。
- 日志完整性: 跟踪=None的规则不产生日志条目。识别没有日志记录的安全相关规则 — 至少,所有丢弃和拒绝规则都应记录日志。
- SmartEvent关联: 如果部署了SmartEvent,验证关联策略处于活动状态并从安全日志生成事件。
- 合规性刀片: 如果启用,验证合规性检查正在运行,并审查最新的合规性报告以查找失败的检查。
cpstat antimalware
cpstat appi
验证威胁防护签名数据库是最新的:
| 数据库 | 最大期限 | 检查命令 |
|---|
| IPS签名 | 7天 | cpstat ips |
| 应用控制数据库 |
7天 | cpstat appi |
| 反僵尸网络
