This is a real life sample alert from Indeni

Description:

The Stateful Inspection feature on this firewall has been disabled. Since Stateful Inspection is a core element of the behavior of modern firewalls, this may mean a severe security gap exists. For more information, read Why Turning Off Stateful Inspection On Your Check Point Firewall Is Bad on Hurricane Labs’ website.

This signature has been made possible with the help of Lindsay Hill.

Manual Remediation Steps:

Re-enable Stateful Inspection under Global Parameters. Be careful when doing so as it may break traffic that was allowed previously.

How does this alert work?

indeni connects to the servers managing the Check Point firewalls (SmartCenter / Security Management / Provider-1 / MDM) and parses the policy files (such as objects_5_0.C). It looks for the flag for the stateful inspection and if it’s false, alerts.