Implementing Secure Client Verification (SCV) on Check Point gateways

Introduction

This post was written whilst organisations were coping with the fallout from the Corona / COVID-19 pandemic.  Organisations were faced with the task of enabling the workforce to work remotely, and to do so securely.  Apart from implementing MFA, device posturing or compliance checking your endpoints is arguably one of the more effective ways of helping to address the risks associated with granting your users access into your network.

Check Point allows us to do this in multiple ways by utilizing a feature called Secure Client Verification (SCV).  In very simple terms, this allows us to perform numerous checks (Is AV running, is the OS supported, is it patched, is it a member of the corporate domain etc.) on an endpoint before we allow it to access our network via a VPN.

SMS Configuration

Go to Global Properties - Secure Configuration Verification
Ensure "Apply Secure Configuration...." is selected

Gateway Configuration

On your Cluster / gateway object, ensure that IPSec Policy Server is selected.

This allows us to add the desktop policy to our policy package, which in turn allows the magic to happen.  Go to Security Policies -> Manage policies and layers.  Ensure "Desktop Security" is ticked.

Publish your changes and navigate to the policy package you just edited.  You'll see you have a brand new "Desktop Policy" in your Access Control section.  Click "Open Desktop Policy in SmartDashboard", making sure to select Read-Write mode.

Navigate to the "Desktop" tab.  We will need to create a rule here, otherwise the policy will fail to install (it's the policy installation that transfers the local.scv file to the gateway, but more on that later).

If you are just running the Check Point Mobile client then whatever you do here will have no impact, as this client does not have a firewall component.  That said, click "Add Rule at the Bottom" and add a rule, anything will do.

If you're running the full client then obviously don't do a rule which puts you at risk, but then you would probably also have rules in place already which obviates the need for this step.

Update the SMS with your changes and exit SmartDashboard

local.scv file details

Now comes the slightly archaic bit.  Your actual compliance rules in this instance are controlled by a text file called "local.scv" that resides on your SMS inside the $FWDIR/conf folder.  I'll include links to more extensive documentation at the end of the post, for this example I'll show how to check for domain membership (checkpoint.root in this example).  The desired outcome will be that if the VPN client is not a member of the checkpoint.root domain, then it will be denied access.

You can either edit the local.scv file in place using the vi editor, or transfer to your workstation and upload the edited file.  Here are the relevant edited sections:



: (RegMonitor
:type (plugin)
:parameters (
:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=checkpoint.root")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your computer doesn't meet the domain membership requirements.")
:end (admin)
)
)



:SCVPolicy (
: (RegMonitor)



:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (true)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (true)
)

Client Output

Once the updated file is saved on your SMS, you can push policy to your gateways, making sure the "Desktop Security" is ticked.  When policy installation is done you can attempt to establish a VPN connection to your gateway.  If you are not compliant you will get an error message similar to the below (you can edit the actual error message with the local.scv file)

Conclusion

The advantages to building and configuring Secure Compliance Verification is that you do not need to purchase any additional licenses or install any software beyond the Mobile Client.  The drawbacks, in my opinion is:
1.  Not as fully featured as the checks that can be done with the full Check Point endpoint solution
2.  You cannot have granular SCV rule (i.e. Check Y for UserA, Check Z for UserB)
3.  It's a Global setting enforced from your SMS, so you cannot have separate checks for separate gateways

Having said that, it's an awesome feature that for some reason is not very well-known among Check Point admins.

I found the following resources very helpful when first building this out in my lab:

Check Point sk65267
Check Point sk147416

https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Checking-with-Secure/m-p/57123#M1737

Migrating a Check Point cluster to new hardware

Overview:

The very high-level overview would be:
1. Migrate standby node config to new node
2. Disconnect old standby from network
3. Connect new standby to network
4. Reset SIC via SmartConsole
5. Failover Cluster to new node
6. Repeat steps 1-4 for additional cluster members

Step-by-Step

In order to minimise disruption we'll start by replacing the standby node.  We can verify the node state that with the cphaprob state command:

[Expert@gw02-r77:0]# cphaprob state

Cluster Mode:   High Availability (Active Up) with IGMP Membership

Number     Unique Address  Assigned Load   State

1          10.0.0.11       100%            Active
2 (local)  10.0.0.12       0%              Standby

Now we'll migrate the standby gateway configuration to our new standby node.  We can pull the existing config via the "show configuration" command.  This will dump the configuration onto the console, where you can copy and paste it into a text file:

gw02-r77> show configuration
#
# Configuration of gw02-r77
# Language version: 12.3v1
#
# Exported by admin on Thu Jan 16 09:46:32 2020
#
set net-access telnet off
set core-dump enable
set core-dump total 1000
set core-dump per_process 2
set inactivity-timeout 10
set web table-refresh-rate 15
set web session-timeout 10
set web ssl-port 443
set web ssl3-enabled off
set web daemon-enable on

Etc………………………………….

The next step is very important, as most likely your interface names will be different on your new hardware.  In the below example my source gateway's interface is eth0:

set interface eth0 comments "Management"
set interface eth0 state on
set interface eth0 ipv4-address 192.168.239.253 mask-length 24

If my destination interface is eth5, for example, I'll just do a simple search and replace, which will give me this:

set interface eth5 comments "Management"
set interface eth5 state on
set interface eth5 ipv4-address 192.168.239.253 mask-length 24

This we'll repeat for all interfaces.  Sub-interface names will not change, so you need not worry about those.

Now that we've adapted our config file to reflect our new hardware, we log into the new gateway and paste it in.

Now we are ready to replace our standby node with the new node, so we disconnect our standby node from the network.  To allow for rapid failback in case something goes wrong I never power off the old standby.  Instead I either unplug the cables or I disable the switchports that the gateway is connected to.

Now we can power up the new standby node.  Once bootup is complete we reset the SIC using SmartConsole.  Right click on your gateway object and select edit:

Now click Communications, then Click Reset:

Now enter the one-time password (should match what you entered during gateway setup, otherwise you can change it using cpconfig):

Now we update the cluster properties to the new version (R77.30 -> R80.30 in this instance)

What if my interface names are different?

In the event that your interfaces names are different between your old and your new cluster members, you'll need to match it up by editing your cluster object in SmartConsole and telling it which physical interfaces maps to which cluster interfaces.  This screenshot should explain it better:

Finally we install our policy on the new node only:

Now we fail the cluster over to our new member by running the cphastop command on the remaining "old" node.

We verify that our new member is active:

[Expert@gw01-r80:0]# cphaprob state

Cluster Mode:   High Availability (Active Up) with IGMP Membership

ID         Unique Address  Assigned Load   State          Name                  

2 (local)  10.0.0.12       100%            ACTIVE         gw02-r77


Active PNOTEs: None

Last member state change event:
   Event Code:                 CLUS-116504
   State change:               READY -> ACTIVE
   Reason for state change:    All other machines are dead (timeout), No other ACTIVE members have been found in the cluster
   Event time:                 Thu Jan 16 10:37:32 2020

Cluster failover count:
   Failover counter:           0
   Time of counter reset:      Thu Jan 16 09:34:50 2020 (reboot).

Next we verify that all our cluster interfaces are up:

[Expert@gw01-r80:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 3
Required secured interfaces: 1


Interface Name:      Status:

eth0                 UP
eth1                 UP
eth2 (S)             UP

S - sync, LM - link monitor, HA/LS - bond type

Virtual cluster interfaces: 2

eth0           192.168.239.250      VMAC address: 00:1C:7F:00:61:B3
eth1           192.168.20.213       VMAC address: 00:1C:7F:00:61:B3

Once we're satisfied the our new gateway is passing traffic properly, we'll repeat the same procedure to replace the remaining "old" gateways.

Check Point standby cluster member cannot access the Internet

The title is pretty self-explanatory, and it's behaviour I'm seeing on every recent cluster build that I do (R80.10 and up).  A fair question will be "Why are you concerned with Internet access on your standby member?".  Well, my biggest reason is cosmetic, as occasionally the gateway might throw up alerts in SmartConsole due to it being unable to to entitlement checks and such. 

More importantly, your cluster might also be configured to have the gateways pull IPS / AV / etc. updates (as opposed to having your SMS distribute it) and this means that if your cluster fails over, there might be a small window where you are running outdated protections.

Having said all that, how do we fix this?  Well Check Point has 4 steps listed in sk43807, namely:

• Verify that routing tables are identical on all nodes
• Synchronise HTTP, HTTPS, DNS between cluster members
• Set the 'fwha_forw_packet_to_not_active' kernel parameter to 1
• Edit your 'table.def' file on the SMS

Of those, the only one that has ever worked for me is the 'table.def' edit, issue with that is that it will get overwritten after every upgrade you do, so in my view not a long-term solution.

Because this issue is caused by the gateway's traffic being hidden behind the cluster IP, we can fix it with a NAT rule.  This also has the advantage of being a permanent fix.  You'll have to create a rule for each gateway in your cluster which states that for any traffic originating from the gateway (create objects with your external IP's) to any, use original.  It needs to look something like this:

Once done, push policy and you should immediately restore access.

Checkpoint and QRadar integration via Checkpoint Log Exporter

I recently had to integrate a new client's Checkpoint environment into their QRadar SIEM solution due to the need for a single point of alerting and monitoring.

Despite the information available on both Checkpoint and IBM's support site, I still found the process a tad convoluted.  Below is a short and sweet summary of how I got the Checkpoint to ship logs to QRadar in a way that made sense to QRadar.

Configure the Checkpoint Log Exporter

Execute the below command on your Checkpoint SMS:

cp_log_export add name qradar target-server target-port 514 protocol tcp format leef read-mode semi-unified

Verify LeefFieldMapping.xml

Navigate to /opt/CPrt-R80/log_exporter/targets/qradar

Verify that the LeefFieldMapping.xml file is as per QRadar requirements defined here: https://www.ibm.com/support/pages/troubleshooting-check-point-syslog-leef-events-log-exporter-cplogexport-utility

Verify LeefFormatDefinition.xml

Navigate to $EXPORTERDIR/conf

Verify that the LeefFormatDefinition.xml is as per QRadar requirements defined here: https://www.ibm.com/support/pages/troubleshooting-check-point-syslog-leef-events-log-exporter-cplogexport-utility

Once done, restart the Log Exporter instance: cp_log_export restart name qradar

QRadar Configuration

My testing revealed that there are two pre-requisites required:

1. Ensure you have the latest QRadar Checkpoint DSM (Device support module)
2. Install IBM QRadar Custom Properties for Checkpoint from the QRadar App Exchange

Lastly, configure a new Checkpoint Log source (Admin -> Log Sources) which matches the settings you defined in your Checkpoint Log Exporter.

QRadar also supports Checkpoint integration via Opsec, but it seems that the Log Exporter is the preferred way for Checkpoint going forward.

Detailed troubleshooting can be found on the IBM Support site.

Migrating policies from a standalone Checkpoint gateway to a new management server

I was recently faced with an interesting scenario.  A customer had a standalone Checkpoint gateway running R80.10 and wanted to migrate to a distributed configuration, with separate management.  I researched how to do this and was surprised with the lack of clear answers.

A lot of the online solutions here either refer to KB's which explicitly state that the KB does not apply to R80.10 that a migrate export should suffice.  In my experience it doesn't, it errors out explicitly stating that: "Database migration between Standalone and Management only machines is not supported".

Below is then the process I used to migrate my policies (firewall, NAT and Threat Prevention).

Requirements:

We'll need the CheckPoint API Python Development Kit:
https://github.com/CheckPointSW/cp_mgmt_api_python_sdk

And the CheckPoint Policy Import and Export tool

https://github.com/CheckPointSW/ExportImportPolicyPackage

Lastly, make sure that your gateway and management servers are on the latest GA Jumbo Hotfix Accumulator.  This will ensure that there are no Python compatibility issues.

Download and Extract both on your Computer, using the d:\CP_Python folder for this example I then end up with this structure:

D:\CP_PYTHON
├───cp_mgmt_api_python_sdk-master
│ ├───examples_python2
│ ├───examples_python3

Now we need to move all files and folders under the d:\CP_PYTHON\cp_mgmt_api_python_sdk-master folder to the d:\CP_PYTHON\cp_mgmt_api_python_sdk folder.

Our folder structure then looks like this:

D:\CP_PYTHON
├───cp_mgmt_api_python_sdk-master
└───ExportImportPolicyPackage-master
├───cp_mgmt_api_python_sdk
│ ├───examples_python2
│ ├───examples_p
│ └───lib
└───ExportImportPolicyPackage-master
├───cp_mgmt_api_python_sdk
├───exporting
└───importing
python3
│ └───lib
├───exporting
└───importing

The next step is to transfer the ExportImportPolicyPackage-master folder to both our source and destination CheckPoints. In this case I've transferred to the /tmp folder on each.

[Expert@source1:0]# pwd
/tmp/ExportImportPolicyPackage-master

Now we execute the actual script, like so:

[Expert@source1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/import_export_package.py

An interactive menu system will appear, from here make sure to specify:
- Output filename
- Layer to be exported
- Whether you want to export Threat-Prevention Layers

If you just specified a filename, your export can be found under the /tmp/ExportImportPolicyPackage-master/ folder. Now transfer this file to your destination management server.

In this instance I've transferred it to my /tmp folder.  If this is a new management server, I always delete the built-in Standard Layer, as I've found that the NAT rules import is a bit all over the show otherwise.

This you do under Security Policies -> Manage Policies -> Manage policies and Layers. Delete and publish your changes.

On the destination gateway we now execute the script, just like we did on the source:

[Expert@dest1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/import_export_package.py

Once again, an interactive menu system will appear, from here make sure to specify:
- Import a Package

- Enter user credentials manually

- Specify custom name for imported package (I use Standard, remember to delete the built-in as per above)

- Run

The script will now:

- Create a Policy Package

- Import services

- Import objects

- Import access-layers

- Import access-rules

- Import NAT rules

- Import threat-layers

- Import network

- Import hosts

- Import threat-profiles

- Import groups

If you connect to the management server with SmartConsole, you should see all the above reflected.

Protecting against a ransomware attack

 

Wikipedia describes ransomware as “a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it.” 

In Layman's terms, it denies you access to your own files until you pay the ransomware creators to unlock your files. This extortion method has proven to be very profitable, with CryptoLocker and CryptoWall netting their creators U$3 million and US$17 million respectively.

Ransomware attacks are typically carried out by a Trojan, where the user is tricked into opening a seemingly legitimate attachment or document. Once activated, the ransomware will spread by exploiting vulnerabilities on the target systems. Once a system has been compromised and the files encrypted the victim will be issued with instructions on how to unlock the files - unlocking methods invariably involves paying the ransomware creators via hard-to-trace channels such as Bitcoin.

Whilst the result of a ransomware attack may be devastating, there are a lot of measures that one can take to protect your organisation. I will give a brief overview of these methods below. Do note that attacks, and indeed defense mechanisms, are constantly evolving. Thus the measures below are in no way exhaustive, but should be seen as a very strong baseline to work from.

 

Secure your perimeter

Your first line of defense is crucial. As such you need to make sure that a Unified Threat Management (UTM) firewall is part of your perimeter security solution. This will allow you to activate measures such as Anti-Virus and Malware scanning as well as Intrusion Detection and Prevention Systems (IDS / IPS). A UTM firewall will also allow you to configure outbound filtering, which will prevent any "phone-home" communication between a compromised system and its command-and-control servers.

 

Secure your E-Mail

E-Mail is one of the most prevalent attack vectors, so it just makes sense to invest significant effort to secure it. Start off by enable strong spam filters to prevent phishing and other similar forms of attack from reaching your users. You should furthermore look at implementing methods to authenticate inbound mail, these include technologies such as Domain Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). All these technologies complement each other and works together to detect and prevent mail spoofing. Of course you also need to make sure you are scanning all mails for viruses and, last but not least, filter all executable and "bad" file types.

 

Patch Management

Most ransomware propagates by exploiting Operating System Vulnerabilities. Point in case is the WannaCry variant which utilizes the EternalBlue exploit, which was actually patched by Microsoft two months before the first attacks hit. This clearly demonstrates the value of patching. Ensure you have a proper patch management strategy in place and that systems are patched timeously.

 

Endpoint Anti-Virus

This goes without saying - always ensure that your anti-virus (AV) solution is up to date and that real-time scanning is enabled. Apart from that you'll also need to configure it to perform regular scheduled scans. Most AV solutions now also include heuristic technologies, which allows it to detect and remove threats for which there are no signatures yet, make sure you utilize this. Lastly, ensure that the endpoint's firewall is activated if provided as part of your AV solution.

 

Implement Least Privilege

Limit the use of administrative privileges to a minimum and also make sure that User Access Control (UAC) is activated. The principle of Least Privilege should also be applied when granting users access to network resources. Only give write permissions to users that absolutely need those permissions. Default to read only permissions when possible. You should also regularly audit your file shares and review the needed permissions for each share. Ransomware will typically enumerate all network resources an infected system has access to and then encrypt those resources. You can significantly reduce the impact of Ransomware by limiting user access to network resources and just granting them access to what they actually need.

 

Block file execution from certain paths

Ransomware generally executes from temporary folders located in Windows AppData folders. To protect against this you should configure a Software Restriction Policy to prevent executable files from running out of the %APPDATA% location. A much more exhaustive list can be obtained here.

 

Implement Geo-Blocking and blocking of known bad IP addresses

If possible for your organisation you should configure your perimeter firewall to block traffic to "at-risk" countries if you do not do business in these countries. For example a large percentage of Ransomware variants rely on communication with Russian IP blocks to function and spread. Protection mechanisms such as these are admittedly crude, but can be surprisingly effective. Furthermore if your perimeter solution allows you to do so, you should explicitly block all traffic to known bad IP addresses.

 

Application Whitelisting

Application whitelisting is perhaps the most effective method of protecting against ransomware attacks. The flip side is that it also typically takes the most effort and resources in terms of testing, implementing and maintaining.  There are various solutions available to implement application whitelisting, but as a start you should consider the AppLocker and Software Restriction Policies native to Windows.

 

Disable MS Office Macros

Many variants of Ransomware leverage Macros to propagate. If possible you should disable this functionality within Office documents, or at the very minimum for documents received via mail and downloaded from the Internet. Alternatively you can make use of the Office File Viewer to view these untrusted documents.

 

Enable Filescreen

Windows FileScreen was a popular method to detect ransomware infections, however its functionality has been greatly reduced because of new ransomware variants randomizing file extensions. It might still add value in your organisation and assist with alerting and tracing the origin of a ransomware outbreak. A fairly comprehensive list of file extensions can be found here.

 

Enable Logging (SIEM)

A proper logging solution will be invaluable in tracing the origin of a ransomware outbreak. The value in a SIEM solution is that you will be able to correlate the logs of a multitude of different devices to find out how the attack happened. This in turn will allow you to take measure to prevent a re-occurrence. A properly configured SIEM solution will also act as an efficient early-warning system, which will allow you to limit the spread and fallout of a ransomware infection should you be compromised.

 

Backups

If all else fails your backups will be what stands between you and disaster. Back up your data regularly, as per your organisation's Recovery Point Objective's (RPO). Verify the integrity of those backups and test the restoration process regularly to ensure it is working. You also need to secure your backups, or at the very least take them offline so that it cannot be affected by the same ransomware you are trying to protect against.

Configuring FortiGate IPS to block WannaCry ransomware

I’ll split this up in two scenarios – the first being where there is no IPS being done yet and you just want to block WannaCry, and the second being where you already have IPS measures in place protecting to your clients

No IPS in place yet

1. Create an IPS protection profile containing the MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution signature
   
2. Ensure that the protection profile is set to Block
   
3. Apply the IPS signature to all policies governing your intra-VLAN traffic

Adding the WannaCry signature to your existing client targeting IPS profile

The target type for this signature unfortunately has the target type Server, even though client OS’s are also being targeted.  This means you’ll have to manually add it to your client-targeting IPS profile.

Another point to note is that it is listed as a Rate-based signature, so ensure that your signature has a threshold of zero.

Here is more information about the relevant signature from Fortinet: https://fortiguard.com/encyclopedia/ips/43796