As the first “hyperscale” network security solution, Check Point Maestro makes it easy for organisations to scale continuously and dynamically. It enables a single gateway to expand capacity and performance to up to 52 gateways in minutes to support 5G networks’ high data rates.
In this post, we’ll show you how to make the most of Check Point Maestro by automating health checks and ensuring High Availability readiness. We’ll also show you how to alert your team to misconfigurations and forgotten maintenance tasks so you can avoid outages.
What is Security Infrastructure Automation?
Firewalls are a critical component of your organisation’s security program, but the bulk of the work begins once they are purchased. They require a heavy investment of time and resources to maximize the value of these devices. To start with, Check Point training with Pentesec can help you maximise your investment. Besides training, you have to configure them and ensure configurations are optimised and patches and updates are applied regularly. You have to monitor these devices 24/7 so they can provide real time protection of your network and data. You can also choose to use a Firewall Managed Service to increase their efficiency and reduce overheads.
Without automation, your IT operations teams would spend countless hours ensuring that correct configurations are deployed and synchronised consistently across multiple devices. You would spend countless hours gathering diagnostics and device data to keep firewalls up and running.
In reality, there are many daily monotonous tasks relating to lifecycle operations that you can automate. At Indeni, we define security infrastructure automation as tools that automate the visibility, troubleshooting, reporting and maintenance of virtual and physical security devices. With automation, you can lower your operation costs, avoid downtime, reduce human error and improve compliance with configuration policies.
What does Indeni automate?
Indeni automatically detects issues relating to firewalls and tells you how to remediate them. Think of Indeni as a virtual security expert that can expand team skills and is on duty 24/7. You can gain Check Point-specific knowledge from the descriptions and recommended remediations built from real-world experience of certified security experts. Common issues typically stem from hidden configuration skew, forgotten maintenance, or a combination of lack of adherence to vendor, industry and High Availability best practices.
Indeni has automated Check Point best practices to prevent costly disruptions keeping the Enterprise network safe at all times. Our automation includes a variety of use cases:
Health Checks Automation
To avoid downtime and outages, Indeni’s security infrastructure automation platform continuously evaluates critical resources and assesses device health by comparing expectations of device configuration against reality of current status:
OSPF neighbors down | Missing OSPF routes detected |
VPN tunnels down | Certificate authority not accessible |
CPU soft lockup | Fake Tx hang errors detected |
High ARP cache usage | High destination cache usage |
Static ARP table lost | Inode utilization is reaching capacity |
Integration with identity/AAA server down | Many unsuccessful LDAP queries identified |
NAT connection limit nearing | Next hop inaccessible |
Pnote down |
High Availability Readiness
To prevent a single point of failure on your network, firewalls are typically deployed in pairs and their configuration is synchronized. In the event of a failure, the backup can take over. One of the common issues that causes switchover failure is configuration mismatch between the active and the standby device. Indeni’s security infrastructure automation platform proactively automates tasks to ensure seamless failover in the event of a firewall failure. Indeni proactively checks active and standby devices for mismatches such as:
Static routing tables | Network interface ipv4 subnet, MTU size, speed |
Connection networks | Features enables |
CoreXL cores-enabled | ClusterXL CCP mode |
SecureXL configuration | Domain names, NTP servers configured |
OS software version | Hotfixes installed |
Radius/TACACS servers used | Policy |
PBR rules | Critical configuration files |
Organization Standards Enforcement
Making configuration changes manually is fraught with the risk of errors that can result in network downtime. To address this potential issue, our security infrastructure automation platform continuously compares device configuration against the locally-defined “golden configuration” to maintain device integrity.
Core dumping enablement does not match requirement | Listening ports do not match requirement |
Radius servers configured do not match requirement | SNMP trap receiver servers configured do not match requirement |
Users defined do not match requirement |
Best Practices Validation
You can strengthen your security with a best practice implementation. Our security infrastructure automation platform continuously assesses devices for alignment with configuration recommendations from vendors and seasoned practitioner such as:
Aggressive aging enabled | Debug mode enabled |
Firewall more than one sync interface defined | Host missing from hosts file |
In CoreXL a single core should’t handle both interface interrupts and fw worker | Routes defined in clish/webUI are missing |
Cluster has preemption enabled | UID for running user is not 0 |
Radius server UID is not 0 | Errors found in $FWDIR/conf/ipassignment.conf |
Security Compliance & Audits
To ensure your organisation is maintaining regulatory compliance, our security infrastructure automation platform consistently measures device configuration skew against security risks and industry recommendations.
Many unsuccessful logins attempted | Repeated failed login attempts by a user |
Communication issues with certain log servers | Configuration mismatch compliance check |
Device is logging locally | LDAP fingerprint not trusted |
Syslog servers config needed | SNMPv2c/v1 used |
Telnet is enabled |
Maintenance Tasks Automation
Indeni automates often forgotten repetitive and manual intensive maintenance tasks to avoid outages such as:
Software end of support nearing |
License expiration nearing |
Contract expiration nearing |
Next Steps
The above is just a sample list of Auto-Detect Elements. We have built hundreds of them for Check Point Maestro. For a complete list, visit this blog post to download the list of Maestro Auto-Detect Elements.
To learn more about our support for Check Point Maestro, we invite you to watch this on-demand webinar. Our support includes Maestro Orchestrator, Maestro secure gateways (appliances) and Maestro VSX secure gateways.
If you can’t find the Auto-Detect Element you’re looking for, you can always contact your account manager. If you are new to Indeni, you are welcome to try our automation capabilities in your own environment. For more information about Indeni support for Check Point, visit our Check Point Product page.
About the Author
Ulrica de Fort-Menares is the Vice President of Product and Strategy at Indeni. Ulrica is responsible for the strategy, partnerships and execution of the Indeni product portfolio. With over 30 years of experience in the high tech industry, she has held various leadership positions in product management, software development and network engineering. She is the holder of 7 patents in networking technologies.