Compliance Software Blade

Compliance Blade: be safe or be green

What do you need to know about Checkpoint Compliance Software Blade.


Requirements checked

Only requirements related to currently used blades are used. Why? This leads us to wrong assumption: that everything is fine.

Demo mode
624 Regulatory requirements:

  • DSD - 14 requirements
  • HIPA - 16
  • ISO 27001 - 27
  • ISO 27002 - 198
  • NIST 800-41 - 22
  • PCI DSS - 56


  • Real appliance*
    392 Regulatory requirements (232 less):
  • DSD - 7 requirements (7 less)
  • HIPA - 14 (2 less)
  • ISO 27001 - 23 (4 less)
  • ISO 27002 - 167 (31 less)
  • NIST 800-41 - 21 (1 less)
  • PCI DSS - 48 (8 less)


  • Real appliance compliance*
  • DSD - 84%
  • HIPA - 77%
  • ISO 27001 - 87%
  • ISO 27002 - 89%
  • NIST 800-41 - 82%
  • PCI DSS - 83%

  • Security status: High. So everything is fine. I am secure, yupi :) See note below.
    * - Virtual Appliance with Firewall, VPN, AI blades.


    Relevant Security Best Practices*

    Requirement: "Use intrusion detection systems, and/or intrusion prevention sysmtes to monitor all traffic at perimeter of cardholder data enviroment as well as at critical point inside of the cardholder enviroment, and alert personnel to suspected compromises. Keep all intrusion detection and precention engines, baselines, and signatures up-to-date [Original PCI DSS 2.0 Reference: Requirement 11: Regularly test security systems and processes: 11.4]"
    Relevant Security Best Practices:

  • FW170: Check that replay checks are enabled in Check Point Database tool
  • FW171: Check that all audit trails include date, time and user identification


  • Requirement: "Ensure that all anti-virus programs are capable of detecting, removind, and protecting against all known types of malicious softwore [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software of programs: 5.1.1]"
    Relevant Security Best Practices:
  • FW102: Check that Anti-spoofing has been activated on each Gateway
  • FW103: Check that Anti-spoofing is set Prevent on each Gateway
  • FW104: Check that Extended cluster Anti-Spoofing has been enabled


  • And thats all? Nothing about AV and IPS? Without blades relevant security best practices look strange.


    "Stupid" requirements

    Some requirements looks to be added only to increase requirements number:
  • Enable NAT in the Firewall settings (hmmm use NAT :) )
  • Check that 'Clean up Rule' is Defined in Firewall Rule Base (There is no explicit deny rule at the end?)

  • Will search for more

    Requirements duplication

    Some requirements are doubled only to increase requirements number:

  • Check that the HTTPS Validation on the URL Filtering blade drops traffic from servers with Untrusted Server Certificates
  • Check that the HTTPS Validation on the URL Filtering blade drops traffic from servers with Revoked Server Certificates
  • Check that the HTTPS Validation on the URL Filtering blade drops traffic from servers with Expired Server Certificates
  • and same thing for application control


  • Check that the Hit count is enabled for all Gateways (via Global Properties)
  • Check the Hit Count data configuration
  • Check that the Hit count is enabled for all Gateways (via Gateway's Prperties)


  • This checks that in the event that firewall logs are being deleted, the field 'Run the following script before deleting log files' is selected and that a script is documented.
  • This checks that alerts are enabled on each Gateway to notify the user regarding the availability of disk space for the Firewall logs.
  • This checks on each Gateway that if the available space for Firewall logs reaches either 25% or 20 Mb, then an alert will be issued
  • This checks that an alert type has been defined for available disk space for the Firewall logs
  • This checks that in the event that there is no more room to store Firewall logs, older logs will be deleted to ensure continuous logging. Note that we recommend a script to be run to copy the Firewall logs prior to deletion.
  • This checks each Gateway that Firewall logs are only deleted when the available disk space reaches a minimum level of 15% or 45 Mb. Note that we recommend a script to be run to copy the Firewall logs prior to deletion.


  • In my opinion each requirements group can be combined into one requirement.