Infrastructure Automation with Indeni 7.6

Check Point Device Hardening 

Device hardening is a necessary step to ensure your security devices do not have any potential loopholes which can be exploited by hackers. In 7.6.1, we added new Auto-Detect Elements (ADE) to harden Check Point firewalls. These checks apply to Check Point GAiA devices as well as Maestro devices. 

  1. Check for Strong passwords 
    • Ensure minimum password length is set to a user defined length.  
    • Ensure the password contains a combination of uppercase and lowercase letters, numbers and special characters.
  1. Ensure password complexity is set to 3. 
  1. Close inactive SSH sessions automatically. Ensure a timeout for automatic disconnection for inactive sessions is set. The wait time is >0 and <10 minutes by default. The timeout value is user configurable. 
  1. Ensure “Login Banner” is set to prohibit unauthorized access.
  1. Ensure remote management is using SSH v2 and not SSH v1. 
  1. Ensure that the local admin user accounts will not be blocked by checking that the CLI accounts are not being blocked under any circumstances.  

SecureXL Disabled Enhancements

Prior to 7.6, Indeni only collected the global status of SecureXL and alerted based on enable/disable status. In 7.6, Indeni will alert if SecureXL is disabled by the firewall as a result of certain conditions. 

Three new ADE’s were added to collect the state of the three SecureXL templates used to accelerate the connections: Accept, Drop and NAT. Indeni will alert if any one of these templates is disabled. 

These templates are available in version R80.10 later. The new rules are only applicable to Check Point GAiA devices.

Other New Auto-Detect Elements

  1. Check Point Light Out Management (LOM)
    • New ADE to collect the TLS version, IP address and Firmware information. Indeni will alert if the LOM interface was configured with default values. 
  1. Extended the support of the “configuration mismatch” rule to Palo Alto Networks devices. 

Next Steps

To see a complete list of features and bug fixes, refer to the release notes page on our website. You can download the latest list of Auto-Detect Elements for Maestro here. As always, if you have questions or comments, we’re here to help. 


Published in:


An avatar of the author

Ulrica de Fort-Menares is the Vice President of Product Management for Infrastructure Assurance.

Related content

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

BlueCat to acquire LiveAction

BlueCat adds LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.