# Check Point R81 / R81.20 Hardened Baseline > Reference configuration for a production Check Point gateway cluster running R81.20 or R82. Includes Gaia system hardening, VSX design notes, policy structure, threat prevention profile, logging, and upgrade hygiene. CLI + SmartConsole snippets. MIT licensed. **Target:** an enterprise perimeter cluster (dual-node ClusterXL) behind a redundant pair of ISP routers, fronting a DMZ and internal networks. Management via a dedicated MDM or SMS server. **Placeholders** to replace: - `{{GW_NAME}}` — `cp-fw-hq-01`, `cp-fw-hq-02` - `{{CLUSTER_NAME}}` — `cp-cl-hq-01` - `{{CLUSTER_VIP}}` — `10.1.0.1` - `{{MGMT_IP}}` — management interface IP - `{{DOMAIN}}` — `example.internal` - `{{NTP_1}}` `{{NTP_2}}` — time servers - `{{SYSLOG}}` — SIEM receiver - `{{TACACS_IP}}` — AAA server - `{{EXT_IF}}` `{{INT_IF}}` `{{DMZ_IF}}` — interface names --- ## 0. Pack contents | Section | What it covers | |---|---| | 1 | Gaia OS hardening (CLISH) | | 2 | ClusterXL setup | | 3 | Interfaces + routing | | 4 | Policy package structure | | 5 | Threat Prevention profile | | 6 | HTTPS Inspection | | 7 | Identity Awareness | | 8 | Logging + audit | | 9 | Upgrade + hygiene | | 10 | Backup + recovery | --- ## 1. Gaia OS hardening (CLISH) Run on each gateway after first-time wizard: ```clish set hostname {{GW_NAME}} set domainname {{DOMAIN}} # Timezone + NTP set timezone Area / Zone Etc Etc/UTC add ntp server {{NTP_1}} version 4 add ntp server {{NTP_2}} version 4 set ntp active on # DNS set dns primary 9.9.9.9 set dns secondary 1.1.1.1 # Management access — SSH hardening set ssh server port 22 set ssh server version 2 # Stronger macs/kex (additive to Gaia defaults) set config-state save # SNMPv3 only — disable v1/v2c set snmp mode default set snmp agent off delete snmp community public delete snmp community private add snmp usm user NETMON security-level authPriv auth-pass-phrase REPLACE_AUTH authentication-protocol SHA512 privacy-pass-phrase REPLACE_PRIV privacy-protocol AES256 set snmp agent on # Logon banner (legal) set banner banner_message "Authorised access only. All activity logged and monitored." set banner motd_message "System: {{GW_NAME}} | Owner: netops@{{DOMAIN}}" # Password policy set password-controls min-password-length 14 set password-controls complexity 3 set password-controls password-history-length 24 set password-controls force-change-when on set password-controls password-max-age 90 set password-controls password-min-age 1 # User accounts add user secadmin uid 0 homedir /home/secadmin set user secadmin shell /etc/cli.sh set user secadmin password-hash $6$REPLACE add rba user secadmin roles adminRole # AAA / TACACS+ add aaa tacplus-servers priority 1 server {{TACACS_IP}} key REPLACE_SECRET service secsh set aaa authentication-servers ldap-auth-profile disable set aaa authentication type tacplus default-scheme yes local-scheme yes # Audit + syslog add syslog log-remote-address {{SYSLOG}} level info set syslog mgmtauditlog on save config ``` Notes: - `save config` persists. `save deep` on SMS/MDM. - Disable the web admin if not needed (`set web ssl-port 443 off`), or restrict with the `WebUI access` option to an ADMIN_NET. --- ## 2. ClusterXL setup Two-node cluster, active/standby preferred unless you have tuned load sharing. **SmartConsole steps:** 1. Create `Cluster Object` → ClusterXL → High Availability (New Mode). 2. Add both gateway members with their physical interfaces. 3. Sync interface: dedicated physical link, point-to-point, RFC 1918 non-routed range (e.g., `172.23.0.0/30`). 4. Cluster IPs: one per external/internal/DMZ segment, virtual IP shared. 5. Topology: mark sync interface as `Sync`; external as `External`; DMZ/internal as `Internal`. 6. CCP (Cluster Control Protocol): keep as broadcast unless you are multi-site (then `unicast`). 7. Monitored interfaces: all data interfaces + sync. **Critical CLI checks:** ``` cphaprob state # expect Active / Standby cphaprob -a if # all monitored interfaces UP cphaprob list # pnote list — no critical failures fw ctl pstat # policy state stats ``` --- ## 3. Interfaces + routing ### Interface design | Role | Interface | IP | Comment | |---|---|---|---| | External (ISP) | {{EXT_IF}} | per member + cluster VIP | BGP/static to ISP routers | | Internal | {{INT_IF}} | per member + VIP | Campus core | | DMZ | {{DMZ_IF}} | per member + VIP | Published services | | Sync | sync | 172.23.0.1 / 172.23.0.2 | P2P, no default GW | | Management | Mgmt | {{MGMT_IP}} | Out-of-band | Jumbo frames on sync only (9000 MTU). All data interfaces keep 1500 unless end-to-end jumbo is validated. ### Routing Static defaults are fine for small/medium. For multi-path: ``` set static-route default nexthop gateway address priority 1 on set static-route default nexthop gateway address priority 2 on ``` For BGP (R81.20 supports multi-VRF): configure via CLISH routemap or SmartConsole → Gateway → IPv4 Static Routes / Dynamic Routing. --- ## 4. Security policy package structure One layer per concern. Avoid the monolithic 5000-rule policy. ``` Policy Package: PP-CORP-PERIMETER ├── Access Control Layer: Network_Control │ ├── Section: Admin Access │ │ └── ADMIN_NET → Gateway ClusterVIP → mgmt services : Accept + Log │ ├── Section: Internal→Internet │ │ ├── INTERNAL_NET → Any (internet) → http/https/dns : Accept + Log + IPS │ │ └── INTERNAL_NET → Any → risky_services : Drop + Log │ ├── Section: DMZ publishing │ │ └── Any → DMZ_WebServers → http/https : Accept + Log + Threat Prevention │ ├── Section: DMZ→Internal (minimal) │ │ └── DMZ_AppServers → INTERNAL_DB → 1433/5432 : Accept + Log │ ├── Section: Cleanup │ │ └── Any → Any → Any : Drop + Log + Account ├── Access Control Layer: Identity_Awareness │ └── Rules matching AD groups to applications ├── Access Control Layer: Application_Control_URL_Filtering │ └── Block: gambling, malware categories, P2P, cryptomining ├── Threat Prevention Layer │ └── Profile: TP_Strict_Production (see Section 5) ├── HTTPS Inspection Layer │ └── Bypass: banking + health categories ``` Naming convention: - Objects: `OBJ__` e.g. `OBJ_NET_INTERNAL`, `OBJ_SVG_HR_APP` - Groups: `GRP__` e.g. `GRP_NET_USER_SUBNETS` - Rules: short, descriptive Section + Name Rule hygiene targets: - Every rule has a meaningful name. - Every rule has Track = Log (Account if throughput-critical). - Every rule has a ticket reference in Comments. - No `Any` for services unless explicitly cleanup rule. - Run `fw ctl zdebug drop` on any new rule to confirm expected drops. --- ## 5. Threat Prevention profile Enable these blades on the cluster: - IPS - Anti-Bot - Anti-Virus - Threat Emulation (sandbox) - Threat Extraction (CDR) **TP Profile: `TP_Strict_Production`** | Blade | Setting | |---|---| | IPS | Performance Impact: Low/Medium on; High monitor for 30 days then prevent | | IPS | Confidence: Medium+High = Prevent; Low = Detect | | Anti-Bot | Prevent known C2; Detect anomalous DNS | | Anti-Virus | Prevent; Scan HTTP, HTTPS (if inspected), SMTP | | Threat Emulation | Files: docx, xlsx, pdf, js, vbs, ps1, exe, iso, lnk → Prevent | | Threat Extraction | Inbound email attachments → convert to PDF | Update cadence: IPS signatures every 2 hours, Anti-Virus every 30 min, Threat Emulation image every night. **Exceptions rules:** put in a separate Threat Prevention Layer rule section `TP_Exceptions`. Each exception has ticket + expiry date. --- ## 6. HTTPS Inspection Enable only if you have the legal + privacy posture sorted. - CA cert generated on the SMS, deployed to all endpoints via GPO/MDM. - Inspection bypass for: Banking, Health, Government, Mail categories. - Bypass additionally for hosts in `BYPASS_HTTPS_HOSTS` alias. - Protocol versions: TLS 1.2+ only after inspection. - Weekly review of inspection cert expiry + coverage metrics. --- ## 7. Identity Awareness - Integrate with AD via `pdp` + Identity Agent or Identity Collector. - Network login, Captive Portal for BYOD. - Use AD groups in the rule base (`@GRP_AD_Developers`, `@GRP_AD_Finance`). - PDP / PEP sizing: enterprise deployments benefit from a dedicated Identity PDP. --- ## 8. Logging + audit ### SmartEvent / Log Exporter ```clish log_exporter add name siem target-server {{SYSLOG}} target-port 514 protocol tcp format leef read-mode semi-unified log_exporter restart name siem log_exporter show name siem ``` ### Log retention - Local logs: 7 days hot. - SIEM: 1 year hot, 7 years cold (regulated) or 3 years (standard). ### Key log events to alert on - Admin login outside business hours - Policy install by unexpected user - TP blade turned off - Cluster member state change - HTTPS inspection bypass list change - Anti-Bot hits from same internal host > 5 in 5 min (likely compromised) --- ## 9. Upgrade + hygiene - Jumbo Hotfix Accumulator (JHF): apply latest "Recommended" quarterly. - Major version upgrade: plan every ~24 months, test in lab first. - Pre-upgrade checklist: - Backup SMS (`migrate export`), backup gateway (`clish -c "save configuration file.cfg"`). - Document running policy + TP profile. - Confirm maintenance window has standby ISP if feasible. - ClusterXL failover test day before. - Post-upgrade verification: see "smoke tests" in Section 11. --- ## 10. Backup + recovery ### Daily - SMS: `migrate export` + compress + SCP off-box. - Gateway: `clish -c "save configuration /var/log/config-$(date +%F).cfg"`. ### Weekly - Policy database backup (SMS GUI → Database Revision Control → New Version). - SIC certificate verification per gateway. ### Monthly - Full `snapshot` on each gateway (Gaia → System Management → Snapshot Management). - Validate recovery by mounting snapshot in lab. ### Disaster recovery - SMS restore time (RTO) target: 2 hours in-region, 4 hours cross-region. - Policy push lag (RPO) target: 1 hour. --- ## 11. Smoke tests after any change Fast tests to run after policy install / upgrade / cluster change: ``` fw stat # policy loaded, age sane fw ctl pstat | head -30 # kernel memory, connection table cphaprob state # cluster health cpstat fw -f all | head # gateway stats tail -f $FWDIR/log/fw.log # live log sanity cplic print # licence not expired tcpdump -ni {{EXT_IF}} host -vv # directly probe external traffic ``` External probes: - Passive: `curl -I https://` from off-network. - Active: short synthetic transaction test from monitoring agent. Internal probes: - Known-good flow from a user segment to an internal service, verify logged as expected rule. - Known-bad flow to risky_services, verify drop + log + Track Account count increments. --- ## 12. Anti-patterns worth flagging - **Any/Any accept "temporarily"** — these outlive the incident by years. - **Track = None on a production rule** — invisible. - **Shared admin accounts (e.g. `admin`, `fwadmin`)** — use TACACS+ individual accounts. - **HTTPS inspection with no privacy / legal review** — fast way to get into hot water. - **Single ISP, single default gateway** — any outage is a site-down event. - **SMS on the same server as the SmartEvent DB for large estates** — will grind. - **Backups to the same datastore as the SMS** — not a backup. --- ## Attribution Built by **Hak** at **VantagePoint Networks**. Based on Check Point R81.20 / R82 deployments in enterprise + regulated environments. MIT licensed — fork, customise, ship.