I used to be a Check Point firewall system administrator back in 2005 and so I have been away from the product for a little while. I don't know what release we were running back then but that interface looked pretty different from what it does now. Ha!

On to my question...

Although I am not the firewall administrator, I have to perform firewall policy audits twice a year. My plan of attack was going to be to document the business need and last date of review in the summary of each rule. I could then compare the date of last review with the last modified date in the rule history. If the modified date is newer than the date of last review, then that rule needs to be reviewed again. If nothing has changed since the last review then the only question would be whether the rule is still needed.

How are other people are handling their firewall policy audits? Is there a standard? Is there a better approach? If there is another thread related to this subject, please feel free to point me in that direction. I did not see one in a brief search.

One problem I have encountered is that the history does not always appear to reflect the actual history of the rule in the SmartConsole (R80.20). I have a rule where the summary tab shows a creation date of 1/7/2019. If I select the history tab and display results for all time, it searches back over 300 days with no results. January 7th was only about 189 days ago (if I did my math correctly). I would think I should see an entry in the history for the day of its creation. Another rule that was only created within the past month does show a creation date in the history. Something is not right there, which concerns me in relying upon the accuracy of history when auditing.

Thanks for taking the time to read my post.