Infrastructure Automation with Indeni 7.6
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Check Point Device Hardening
Device hardening is a necessary step to ensure your security devices do not have any potential loopholes which can be exploited by hackers. In 7.6.1, we added new Auto-Detect Elements (ADE) to harden Check Point firewalls. These checks apply to Check Point GAiA devices as well as Maestro devices.
- Check for Strong passwords
- Ensure minimum password length is set to a user defined length.
- Ensure the password contains a combination of uppercase and lowercase letters, numbers and special characters.
- Ensure password complexity is set to 3.
- Close inactive SSH sessions automatically. Ensure a timeout for automatic disconnection for inactive sessions is set. The wait time is >0 and <10 minutes by default. The timeout value is user configurable.
- Ensure “Login Banner” is set to prohibit unauthorized access.
- Ensure remote management is using SSH v2 and not SSH v1.
- Ensure that the local admin user accounts will not be blocked by checking that the CLI accounts are not being blocked under any circumstances.
SecureXL Disabled Enhancements
Prior to 7.6, Indeni only collected the global status of SecureXL and alerted based on enable/disable status. In 7.6, Indeni will alert if SecureXL is disabled by the firewall as a result of certain conditions.
Three new ADE’s were added to collect the state of the three SecureXL templates used to accelerate the connections: Accept, Drop and NAT. Indeni will alert if any one of these templates is disabled.
These templates are available in version R80.10 later. The new rules are only applicable to Check Point GAiA devices.
Other New Auto-Detect Elements
- Check Point Light Out Management (LOM)
- New ADE to collect the TLS version, IP address and Firmware information. Indeni will alert if the LOM interface was configured with default values.
- Extended the support of the “configuration mismatch” rule to Palo Alto Networks devices.
Next Steps
To see a complete list of features and bug fixes, refer to the release notes page on our website. You can download the latest list of Auto-Detect Elements for Maestro here. As always, if you have questions or comments, we’re here to help.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article describes Indeni's Check Point device hardening additions in the 7.6.1 release, introducing new Auto-Detect Elements (ADEs) to improve security posture for Check Point GAiA and Maestro devices. It outlines specific checks such as enforcing strong password policies, automatic SSH session timeouts, SSH v2 enforcement, login banners, protection of local CLI admin accounts, and enhanced SecureXL template state monitoring to detect disabled Accept, Drop, and NAT templates. The update also adds LOM (Light Out Management) TLS, IP, and firmware collection with alerts for default configurations and extends a configuration-mismatch rule to Palo Alto Networks devices, with links to release notes and ADE downloads for further details.
What new password and session controls were added in Indeni 7.6.1 for Check Point devices?
Indeni 7.6.1 added ADE checks that enforce strong password settings and session controls on Check Point GAiA and Maestro devices. The checks ensure a user-defined minimum password length and require password complexity with a mix of uppercase, lowercase, numbers, and special characters (complexity set to 3). It also enforces automatic disconnection of inactive SSH sessions with a configurable timeout (>0 and
How does the 7.6.1 update improve monitoring of SecureXL on Check Point devices?
Prior to 7.6, Indeni only captured the global enabled/disabled state of SecureXL. In 7.6, Indeni enhances visibility by alerting when SecureXL is disabled due to certain firewall conditions and by introducing three ADEs to collect the state of the SecureXL templates that accelerate connections: Accept, Drop, and NAT. If any of these templates are disabled, Indeni will generate an alert. These template-level checks are available for devices running R80.10 and later and apply to Check Point GAiA devices.
What other device checks and platform support changes were included in this release?
The release added a new ADE for Check Point Light Out Management (LOM) that collects TLS version, IP address, and firmware information and will alert if the LOM interface retains default configuration values. Additionally, Indeni extended its existing “configuration mismatch” rule to include Palo Alto Networks devices, broadening cross-vendor configuration monitoring. The article directs readers to the release notes and provides a download link for the latest ADE list for Maestro for a complete list of features and fixes.
Published in:
Ulrica de Fort-Menares is the Vice President of Product Management for Infrastructure Assurance.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.