Originally published at: https://indeni.com/docs/release-notes/release-notes-6-x-x/release-notes-6-5-2/
See below for the detailed notes for 6.5.2. Customers head over to the Indeni Forum within Indeni Crowd to join the conversation around these capabilities. Need the latest build? Download Indeni.
Summary
PAN Best Practices
- Check if anti-spyware actions for threat signatures for low and informational severity is following best practices.
- Check if global protect update recurrence is set to hourly.
- Warn if captive portal SSL/TLS service profile is using TLS less than 1.2.
- Check if the update schedule for Application and Threats are following best practices.
- Warn if decryption profile min version is not set to TLSv1.2 and max versions is not set to “Max”(Decryption profile).
- Warn if LDAP communication is insecure. “Require SSL/TLS secured connection” is enabled for LDAP.
- Check if all anti-spyware profiles have dns sink-holing enabled
- Check failed login attempts is not set to 0(default) or greater than 5. It is best practice to to set the maximum failed attempts to no more than 5.
- Check if AV update recurrence is set to hourly and update action is set to download-and-install
BlueCoat Proxy SG
- Added Hardware EOL and Software EOS notification
- Identify if device has high uptime. Very long uptime may be a sign that the device has not been upgraded in awhile.
- Identify if certificate in use for SSL is due to expire soon
Checkpoint
- Compliance check: Ensure core dumping is enabled
Details:
New Knowledge
BlueCoat
IKP-1564 Hardware EOL and Software EOS notification
IKP-2281 Identify if device has high uptime
IKP-2282 Identify if certificate in use for SSL is due to expire soon
Checkpoint
IKP-1397 Compliance check: Core dumping enabled
PAN
IKP-2259 Best Practice: anti-spyware threat signatures for low and informational severity
IKP-2251 Best Practice: Ensure global protect update recurrence is set to hourly
IKP-2252 Best Practice: Ensure captive Pportal SSL/TLS service profile min version is set to TLSv1.2
IKP-2254 Best Practice: Ensure apps and threats are rightly configured for content updated
IKP-2255 Best Practice: Ensure min version is to TLSv1.2 and max versions is set to “Max”(Decryption profile)
IKP-2262 Best Practice: Ensure “Require SSL/TLS secured connection” is enabled for LDAP
IKP-2256 Best Practice: Check all anti-spyware profiles have dns sink-holing enabled
IKP-2257 Best Practice: Ensure failed attempts is set to a value lower than or equal to 5
IKP-2258 Best Practice: Ensure AV update recurrence is set to hourly and update action is set to download-and-install
Knowledge Bug Fixes/Improvements
Checkpoint
IKP-2448 Fixed cpstat-mg-mds.ind. Removed from exclude list
IKP-2117 Fixed Static routing table does not match across cluster
IKP-2114 Fixed Critical process(es) “down” triggering on “unknown” processes
IKP-1641 Fixed Critical configuration files mismatch across cluster members
IKP-1748 Fixed cphaprob_list/cphaprob_list-vsx issues not resolving in a timely fashion
IKP-2209 Improved performance of fw-ctl-pstat-vsx ind script
IKP-1786 Fixed FP for chkp-fw-ctl-affinity-l-m for Gaia R77.30 and R80.20
IKP-2402 Fixed chkp-cphaprob_state_monitor vsx/novsx failling when the cluster IP has the maximum about of digits
IKP-2090 Fixed FP due to CMA “Active status: standby”
IKP-2241 Improved performance on show-interfaces-all-vsx.ind, policy-fingerprint-vsx.ind, fw-tab-stats-vsx.ind
PAN
IKP-2247 Fixed process-state utilizing incorrect tag value, preventing issue from triggering
IKP-2275 Fixed backup output should be in XML
IKP-2416 Fixed failed to parse results of command panos-show-neighbor-all
BlueCoat
IKP-2337 Fixed os.version hard coded in interrogation script