Integrate a Check Point R80.x Cloud Device

Configure a Check Point integrated security management cloud device to use the Check Point firewall to act on IOCs pulled from Threat Command.

The following Check Point versions and IOCs are supported:

Version	Supported IOCs
R80.20, with hotfix_sk132193 installed	IP address, Domain, URL, and MD5 file hash
R80.30	IP address, Domain, URL, and MD5 file hash
R80.40	IP address, Domain, URL, and file hash (MD5, SHA1, and SHA256)

Limitations

Check Point device configuration is per gateway. You must configure each gateway separately, either using SSH or the console.
The device is limited to 20,000 IOCs.
Check Point does not support email address IOCs.
Due to a Check Point R80.40 issue, only MD5 file-hashes are sent to the gateway.

You can add a Check Point cloud device to Threat Command.

Prerequisites

You have administrative access to Threat Command with a subscription to the Automation and TIP modules.
You must be able to provide the Threat Command account ID and appliance key, as described inAPI key, account ID, and appliance key.
You have the credentials to access the device with SSH or the console.
The Anti-Bot and Anti-Virus blades are installed on each Check Point gateway to be configured.

To add a cloud device to Threat Command:

Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
From the main menu, select Automation -> Integrations.
From the Integrations page, click Cloud.
Click Add new device **.
In the Add New Cloud Device dialog, type a user-defined name for the device.
The name can contain letters, spaces, numbers, and underscores.
Select the Device type.
(Optional) You can change the IOCs limit.
Select the version of your Check Point Gateway: R80.40, R80.30, or R80.20.
(Optional) Map the blade configuration for the gateway:
The default mappings are per Check Point recommendation. For more information, consult with Check Point documentation.
1. Click Blade Configuration IOC - Mapping.
  The configuration section is displayed.
2. Select a blade mapping for each of the supported IOC types.
Click Add.
To verify that the new device is added, refresh the Automation > Integrations page.

The new device is added to the cloud integrations device list.

The default behavior for pulled IOCs is “Prevention.” Instead of only detecting, the configured gateway will block IOCs in the device.

When IOCs are pulled, all IOCs that are present are pulled.

Prerequisites

To configure a Check Point cloud device:

Get the Threat Command Check Point Feed URL:
1. From the Threat CommandAutomation > Integrations page, click the Cloud tab,
2. Select the Check Point device.
3. From the top of the page, click Device Details.
4. Copy the Feed URL that is displayed.
Log in to a Check Point gateway with SSH (or the console).
Start expert mode.
(Optional) Set the fetch interval for all configured feed servers. Note: This setting applies to all feed servers.
Type: ioc_feeds set_interval 3600
(Optional) Confirm that the setting was applied:
Type: ioc_feeds show_interval
Configure the feed server from which IOCs will be pulled:
Type:
ioc_feeds add --feed_name <feed_name> --transport https --resource "<device_url>" --format [type:#2,value:#1,severity:#3,product:#4,comment:#5,name:#1] --user_name <account ID> --delimiter ","
Where :
- feed_name is a user-defined name for the Check Point feed.
- device_url is the Feed URL from the Threat Command Device Details screen.
- format is according to the following: There are five fields, delimited by ",". The format should map what (type, value, severity, etc.) should be taken from each field.
- user_name is the Threat Command account ID
- delimiter is “,”
To continue, approve the trust feed server by typing "y " and press Enter.
(Optional) Confirm that the feed was configured:
Type: ioc_feeds show The feed is configured.

In R80.40, you can determine when the last IOCS were pulled and also force an IOC pull from Threat Command (before the scheduled time).

To determine when the last IOCS were pulled:

To force an IOC pull:

Did this page help you?