Integrate a Check Point R80.x Cloud Device

Configure a Check Point integrated security management cloud device to use the Check Point firewall to act on IOCs pulled from Threat Command.

The following Check Point versions and IOCs are supported:

VersionSupported IOCs
R80.20, with hotfix_sk132193 installedIP address, Domain, URL, and MD5 file hash
R80.30IP address, Domain, URL, and MD5 file hash
R80.40IP address, Domain, URL, and file hash (MD5, SHA1, and SHA256)


  • Check Point device configuration is per gateway. You must configure each gateway separately, either using SSH or the console.
  • The device is limited to 20,000 IOCs.
  • Check Point does not support email address IOCs.
  • Due to a Check Point R80.40 issue, only MD5 file-hashes are sent to the gateway.

Add a Check Point cloud device to Threat Command

You can add a Check Point cloud device to Threat Command.


  • You have administrative access to Threat Command with a subscription to the Automation and TIP modules.
  • You must be able to provide the Threat Command account ID and appliance key, as described inAPI key, account ID, and appliance key.
  • You have the credentials to access the device with SSH or the console.
  • The Anti-Bot and Anti-Virus blades are installed on each Check Point gateway to be configured.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at
  2. From the main menu, select Automation -> Integrations.
    temporary placeholder
  3. From the Integrations  page, click Cloud.
  4. Click Add new device **. temporary placeholder
  5. In the Add New Cloud Device  dialog, type a user-defined name for the device. 
    The name can contain letters, spaces, numbers, and underscores.
  6. Select the Device type.
  7. (Optional) You can change the IOCs limit.
  8. Select the version of your Check Point Gateway: R80.40, R80.30, or R80.20.
  9. (Optional) Map the blade configuration for the gateway:
    The default mappings are per Check Point recommendation. For more information, consult with Check Point documentation.
    1. Click Blade Configuration IOC - Mapping.
      The configuration section is displayed.
    2. Select a blade mapping for each of the supported IOC types.
  10. Click Add.
  11. To verify that the new device is added, refresh the Automation > Integrations page.

The new device is added to the cloud integrations device list.

Configure a Check Point device to pull IOCs from Threat Command

The default behavior for pulled IOCs is “Prevention.” Instead of only detecting, the configured gateway will block IOCs in the device.

When IOCs are pulled, all IOCs that are present are pulled.


  • Access to Threat Command as an administrator.

To configure a Check Point cloud device:

  1. Get the Threat Command Check Point Feed URL:
    1. From the Threat CommandAutomation > Integrations page, click the Cloud tab,
    2. Select the Check Point device.
    3. From the top of the page, click Device Details.
      temporary placeholder
    4. Copy the Feed URL that is displayed.
  2. Log in to a Check Point gateway with SSH (or the console).
  3. Start expert mode.
  4. (Optional) Set the fetch interval for all configured feed servers. Note: This setting applies to all feed servers.
    Type: ioc_feeds set_interval 3600
  5. (Optional) Confirm that the setting was applied:
    Type: ioc_feeds show_interval
  6. Configure the feed server from which IOCs will be pulled:
    Type: ioc_feeds add --feed_name <feed_name> --transport https --resource "<device_url>" --format [type:#2,value:#1,severity:#3,product:#4,comment:#5,name:#1]  --user_name <account ID> --delimiter ","
    Where :
    • feed_name is a user-defined name for the Check Point feed.
    • device_url is the Feed URL from the Threat Command Device Details screen.
    • format is according to the following: There are five fields, delimited by ",". The format should map what (type, value, severity, etc.) should be taken from each field.
    • user_name is the Threat Command account ID
    • delimiter is “,”
  7. To continue, approve the trust feed server by typing "y " and press Enter.
  8. (Optional) Confirm that the feed was configured:
    Type: ioc_feeds show The feed is configured.

Check Point Troubleshooting

In R80.40, you can determine when the last IOCS were pulled and also force an IOC pull from Threat Command (before the scheduled time).

To determine when the last IOCS were pulled:

  • Run: cat /opt/CPsuite-R80.40/fw1/log/ioc_feeder.elg

To force an IOC pull:

  • Run: ioc_feeder -d -f
    The IOCs are displayed.