Limitation of Control(s) Scannable Using Non-Expert Mode Shell
Non-Expert mode restriction (Gaia Clish):
Since non-expert mode does not allow bash commands like sed, post-processing of config is not possible.
Using the bash shell feature of expert mode, we can retrieve the global setting and other rules-related settings from the files like ICS.C, and Obecjs. c, etc. However, the non-expert mode is only capable of a certain set of commands.
Notes: Only some of the controls in expert mode are supported in the non-expert mode.
Qualys does not support the following controls in non-expert mode:
|
Control |
Statement |
|
10316 |
Status of the Users with Role based Access setting. |
|
14289 |
List of VSX gateways configured in Checkpoint Firewall. |
|
18374 |
Status of the user accounts which have the shell other than '/etc/cli.sh'. |
|
22068 |
Status of the checkpoint version info. |
Following are the controls supported in the non-expert mode (73):
|
Control ID |
Statement |
|
1115 |
Status of the 'Dynamic Host Configuration Protocol (DHCP) Server' service |
|
1204 |
Status of the ARP timeout |
|
1861 |
Status of the 'telnet' service |
|
8539 |
Content of the 'Login banner' |
|
8540 |
Content of the 'MOTD banner' |
|
8550 |
Status of the 'SNMP Trap Server/receivers' setting |
|
8579 |
Status of the Syslog Server Host |
|
10254 |
Status of the 'Minimum Password Length' configured on the system |
|
10255 |
Status of the 'Palindrome Password' setting |
|
10256 |
Status of the 'password complexity' setting configured on the system |
|
10257 |
Status of the 'Enforce password history' setting |
|
10258 |
Status of the 'password history' setting configured on the system |
|
10259 |
Status of the 'Maximum Password Age' setting |
|
10260 |
Status of the number of days before a password expiration warning prompt is displayed at the login |
|
10261 |
Status of the 'Account Lockout after a number of days of password expiration' setting |
|
10262 |
Status of the 'Account Lockout' setting |
|
10263 |
Status of the 'Account Lockout Threshold' configured on the system |
|
10264 |
Status of the 'Reset Account Lockout Counter After' setting |
|
10265 |
Status of the 'Deny access to unused accounts' setting |
|
10266 |
Status of the 'Number of Days of non-use before lock-out' setting |
|
10267 |
Status of the 'Force users to change password at first login after the password was changed from user page' setting |
|
10268 |
Status of the SNMP agent |
|
10269 |
Status of the SNMP version |
|
10270 |
Status of the SNMP community strings |
|
10271 |
Status of the SNMP community strings permission |
|
10272 |
Status of the SNMP trap notifications |
|
10273 |
Status of the SNMP users |
|
10274 |
Status of the 'Allowed Client' setting |
|
10275 |
Status of the 'AAA Radius-Server' setting |
|
10276 |
Status of the 'Network Time Protocol (NTP) Active' setting |
|
10277 |
Status of the 'Network Time Protocol (NTP) Server' setting |
|
10278 |
Status of the 'Time Zone' setting |
|
10279 |
Status of the 'Login Banner' setting |
|
10280 |
Status of the 'MOTD Banner' setting |
|
10281 |
Status of the Firewall Hostname |
|
10282 |
Status of the IPv6 protocol |
|
10283 |
Status of the 'DNS Suffix' setting |
|
10284 |
Status of the primary DNS server |
|
10285 |
Status of the secondary DNS server |
|
10286 |
Status of the tertiary DNS server |
|
10287 |
Status of the 'Management audit logs' setting |
|
10288 |
Status of the 'cplogs' setting |
|
10289 |
Status of the 'audit log' setting |
|
10290 |
Status of the 'Secure web connection port' setting |
|
10293 |
Status of the 'WebUI Session Time Out' setting |
|
10294 |
Status of the 'Command Line Session Time Out' setting |
|
10295 |
Status of the 'Core Dump' setting |
|
10296 |
Status of the 'Config state' setting |
|
10297 |
Status of the ' All Interfaces' setting |
|
10299 |
Status of the IPv4 Static Default Route |
|
10300 |
Status of the users present on the device |
|
10301 |
Status of the Groups present on the device |
|
10302 |
Status of the 'AAA TACACS-Servers State' setting |
|
10303 |
Status of the 'AAA TACACS Servers' setting |
|
10510 |
Status of the 'System configuration Backup' setting |
|
10511 |
Status of the 'snapshots' setting |
|
12559 |
Status of the SMTP or mail notification server |
|
14232 |
Status of the radius super-user ID |
|
14233 |
Status of the ARP cache size |
|
14235 |
Status of the 'proxy address' setting |
|
14237 |
Status of the ARP announce level |
|
14253 |
Status of the LOM (Lights Out Management) IP address configured in Checkpoint Firewall |
|
14292 |
Status of the checkpoint Gaia OS web daemon-enable setting |
|
14298 |
Status of the backup location |
|
14299 |
List of last-successful backups |
|
16559 |
Status of the 'ICMP Redirect' Setting using fw ctl get utility |
|
16836 |
Status of the 'Maximum number of concurrent connections' using fw command |
|
22078 |
Status of the 'ECHO services' setting |
|
22079 |
Status of the 'web ssl3-enabled' setting |
|
22080 |
Status of the 'clienv debug' setting |
|
23240 |
Status of Secure Internal Communication (SIC) 'Trust State' on the device |
|
10305 |
Status of the 'Verify the Default Boot Process setting |
|
22081 |
Status of the installed Check Point licenses |
Following is the control, not supported on the Gaia R81.10 platform via non-expert mode/expert mode:
|
Control ID |
Statement |
|
14253 |
Status of the 'LOM ip-address' setting |
Following is the list of controls that are not supported on the Gaia R80.40 platform via non-expert mode/expert mode:
|
Control ID |
Statement |
|
16836 |
Status of the 'maximum concurrent connections' setting |
|
22081 |
Status of installed Check Point licenses |
|
16559 |
Status of the 'ICMP Redirects' setting |
|
10305 |
Status of the Verify the Default Boot Process setting |