Integrate a Check Point R80.x On-Premises Device
Configure a Check Point R80.x integrated security management on-premises device to use the Check Point firewall to act on IOCs pulled from Threat Command. The following Check Point versions and IOCs are supported:
| Version | Supported IOCs |
|---|---|
| R80.20, with hotfix_sk132193 installed | IP address, Domain, URL, and MD5 file hash |
| R80.30 | IP address, Domain, URL, and MD5 file hash |
| R80.40 | IP address, Domain, URL, and file hash (MD5, SHA1, and SHA256) |
Limitations
- Check Point device configuration is per gateway. You must configure each gateway separately, either using SSH or the console.
- The device is limited to 20,000 IOCs.
- Check Point does not support email address IOCs.
- Due to a Check Point R80.40 issue, only MD5 file-hashes are sent to the gateway.
Add a Check Point on-premises device to Threat Command
You can add a Check Point on-premises device to Threat Command.
Prerequisites
- You have administrative access to Threat Command with a subscription to the Automation and TIP modules.
- The Anti-Bot and Anti-Virus blades are installed on each Check Point gateway to be configured.
To add an on-premises device to Threat Command:
- Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
- From the main menu, select Automation > Integrations.
- From the Integrations page, click On-Premises.
- Click Add new device.
- In the Add New On-Premises Device dialog, type a user-defined name for the device.
The name can contain letters, spaces, numbers, and underscores. - Select the Device type.
- (Optional) You can change the IOCs limit.
- Select the version of your Check Point Gateway: R80.40, R80.30, or R80.20.
- (Optional) Map the blade configuration for the gateway:
The default mappings are per Check Point recommendation. For more information, consult with Check Point documentation.- Click Blade Configuration IOC - Mapping.
The configuration section is displayed. - Select a blade mapping for each of the supported IOC types.
- Click Blade Configuration IOC - Mapping.
- Click Add.
- To verify that the new device is added, refresh the Automation > Integrations page.
The new device is added to the integrations device list.
Configure a Check Point device to pull IOCs from Threat Command
The default behavior for pulled IOCs is “Prevention.” Instead of simply detecting, the configured gateway will block IOCs in the device.
When IOCs are pulled, all IOCs present are pulled.
Prerequisites:
- Access to Threat Command as an administrator.
- The Threat Command account ID, as described inAPI key, account ID, and appliance key.
To configure a Check Point device:
- Get the Threat Command Check Point Feed URL:
- From the Threat CommandAutomation > Integrations page, click the On-Premises tab,
- Select the Check Point device.
- From the top of the page, click Device Details.
- Copy the Feed URL that is displayed.
- Log in to a Check Point gateway with SSH (or the console).
- Start expert mode.
- (Optional). Set the fetch interval for all configured feed servers. Note: This setting applies to all feed servers.
Type: ioc_feeds set_interval 3600 - (Optional) Confirm that the setting was applied:
Type: ioc_feeds show_interval - Configure the feed server from which IOCs will be pulled:
Type: ioc_feeds add --feed_name <feed_name> --transport http --resource "<device_url>" --format [type:#2,value:#1,severity:#3,product:#4,comment:#5,name:#1] --user_name <account ID> --delimiter ","Where :- * feed_name is a user-defined name for the Check Point feed.
- * device_url is the Feed URL from the Threat Command Device Details screen.
- * format**** is according to the following: There are five fields, delimited by ",". The format should map what (type, value, severity, etc.) should be taken from each field.
- * user_name is the Threat Command account ID
- * delimiter is “,”
- (Optional) Confirm that the feed was configured:
- Type: ioc_feeds show The feed is configured.
Check Point Troubleshooting
In R80.40, you can determine when the last IOCS were pulled and also force an IOC pull from Threat Command (before the scheduled time).
To determine when the last IOCS were pulled:
- Run: cat /opt/CPsuite-R80.40/fw1/log/ioc_feeder.elg
To force an IOC pull:
- Run: ioc_feeder -d -f - The IOCs are displayed.
Did this page help you?