Release Notes 6.5.2

Originally published at: https://indeni.com/docs/release-notes/release-notes-6-x-x/release-notes-6-5-2/

See below for the detailed notes for 6.5.2. Customers head over to the Indeni Forum within Indeni Crowd to join the conversation around these capabilities. Need the latest build? Download Indeni.

Summary

PAN Best Practices

  • Check if anti-spyware actions for threat signatures for low and informational severity is following best practices.
  • Check if global protect update recurrence is set to hourly.
  • Warn if captive portal SSL/TLS service profile is using TLS less than 1.2.
  • Check if the update schedule for Application and Threats are following best practices.
  • Warn if decryption profile min version is not set to TLSv1.2 and max versions is not set to “Max”(Decryption profile).
  • Warn if LDAP communication is insecure.  “Require SSL/TLS secured connection” is enabled for LDAP.
  • Check if all anti-spyware profiles have dns sink-holing enabled 
  • Check failed login attempts is not set to 0(default) or greater than 5. It is best practice to to set the maximum failed attempts to no more than 5.
  • Check if AV update recurrence is set to hourly and update action is set to download-and-install

BlueCoat Proxy SG

  • Added Hardware EOL and Software EOS notification
  • Identify if device has high uptime. Very long uptime may be a sign that the device has not been upgraded in awhile.
  • Identify if certificate in use for SSL is due to expire soon

Checkpoint

  • Compliance check: Ensure core dumping is enabled

Details:

New Knowledge

BlueCoat

IKP-1564 Hardware EOL and Software EOS notification

IKP-2281 Identify if device has high uptime 

IKP-2282 Identify if certificate in use for SSL is due to expire soon

Checkpoint

IKP-1397 Compliance check: Core dumping enabled

PAN

IKP-2259 Best Practice: anti-spyware threat signatures for low and informational severity

IKP-2251 Best Practice: Ensure global protect update recurrence is set to hourly

IKP-2252 Best Practice: Ensure captive Pportal SSL/TLS service profile min version is set to TLSv1.2

IKP-2254 Best Practice: Ensure apps and threats are rightly configured for content updated

IKP-2255 Best Practice: Ensure min version is to TLSv1.2 and max versions is set to “Max”(Decryption profile)

IKP-2262 Best Practice: Ensure “Require SSL/TLS secured connection” is enabled for LDAP

IKP-2256 Best Practice: Check all anti-spyware profiles have dns sink-holing enabled 

IKP-2257 Best Practice: Ensure failed attempts is set to a value lower than or equal to 5

IKP-2258 Best Practice: Ensure AV update recurrence is set to hourly and update action is set to download-and-install

Knowledge Bug Fixes/Improvements

Checkpoint

IKP-2448 Fixed cpstat-mg-mds.ind. Removed from exclude list

IKP-2117 Fixed Static routing table does not match across cluster

IKP-2114 Fixed Critical process(es) “down” triggering on “unknown” processes

IKP-1641 Fixed Critical configuration files mismatch across cluster members

IKP-1748 Fixed cphaprob_list/cphaprob_list-vsx issues not resolving in a timely fashion

IKP-2209 Improved performance of fw-ctl-pstat-vsx ind script

IKP-1786 Fixed FP for chkp-fw-ctl-affinity-l-m for Gaia R77.30 and R80.20

IKP-2402 Fixed chkp-cphaprob_state_monitor vsx/novsx failling when the cluster IP has the maximum about of digits

IKP-2090  Fixed FP due to CMA “Active status: standby”

IKP-2241 Improved performance on show-interfaces-all-vsx.ind, policy-fingerprint-vsx.ind, fw-tab-stats-vsx.ind

PAN

IKP-2247 Fixed process-state utilizing incorrect tag value, preventing issue from triggering

IKP-2275 Fixed backup output should be in XML

IKP-2416 Fixed failed to parse results of command panos-show-neighbor-all

BlueCoat

IKP-2337 Fixed os.version hard coded in interrogation script