Integrate a Check Point R80.x On-Premises Device

Configure a Check Point R80.x integrated security management on-premises device to use the Check Point firewall to act on IOCs pulled from Threat Command. The following Check Point versions and IOCs are supported:

VersionSupported IOCs
R80.20, with hotfix_sk132193 installedIP address, Domain, URL, and MD5 file hash
R80.30IP address, Domain, URL, and MD5 file hash
R80.40IP address, Domain, URL, and file hash (MD5, SHA1, and SHA256)


  • Check Point device configuration is per gateway. You must configure each gateway separately, either using SSH or the console.
  • The device is limited to 20,000 IOCs.
  • Check Point does not support email address IOCs.
  • Due to a Check Point R80.40 issue, only MD5 file-hashes are sent to the gateway.

Add a Check Point on-premises device to Threat Command

You can add a Check Point on-premises device to Threat Command.


  • You have administrative access to Threat Command with a subscription to the Automation and TIP modules.
  • The Anti-Bot and Anti-Virus blades are installed on each Check Point gateway to be configured.

To add an on-premises device to Threat Command:

  1. Log in to Threat Command at
  2. From the main menu, select Automation > Integrations.
    temporary placeholder
  3. From the Integrations  page, click On-Premises.
  4. Click Add new device.
    temporary placeholder
  5. In the Add New On-Premises Device  dialog, type a user-defined name for the device.  
    The name can contain letters, spaces, numbers, and underscores.
  6. Select the Device type.
  7. (Optional) You can change the IOCs limit.
  8. Select the version of your Check Point Gateway: R80.40, R80.30, or R80.20.
  9. (Optional) Map the blade configuration for the gateway:
    The default mappings are per Check Point recommendation. For more information, consult with Check Point documentation.
    1. Click Blade Configuration IOC - Mapping.
      The configuration section is displayed.
    2. Select a blade mapping for each of the supported IOC types.
  10. Click Add.
  11. To verify that the new device is added, refresh the Automation > Integrations  page.

The new device is added to the integrations device list.

Configure a Check Point device to pull IOCs from Threat Command

The default behavior for pulled IOCs is “Prevention.” Instead of simply detecting, the configured gateway will block IOCs in the device.

When IOCs are pulled, all IOCs present are pulled.


To configure a Check Point device:

  1. Get the Threat Command Check Point Feed URL:
    1. From the Threat CommandAutomation > Integrations  page, click the On-Premises  tab,
    2. Select the Check Point device.
    3. From the top of the page, click Device Details.
      temporary placeholder
    4. Copy the Feed URL that is displayed.
  2. Log in to a Check Point gateway with SSH (or the console).
  3. Start expert mode.
  4. (Optional). Set the fetch interval for all configured feed servers. Note: This setting applies to all feed servers.
    Type: ioc_feeds set_interval 3600
  5. (Optional) Confirm that the setting was applied:
    Type: ioc_feeds show_interval
  6. Configure the feed server from which IOCs will be pulled:
    Type: ioc_feeds add --feed_name <feed_name> --transport http --resource "<device_url>" --format [type:#2,value:#1,severity:#3,product:#4,comment:#5,name:#1] --user_name <account ID> --delimiter ","Where :
    • * feed_name is a user-defined name for the Check Point feed.
    • * device_url is the Feed URL from the Threat Command Device Details screen.
    • * format**** is according to the following: There are five fields, delimited by ",". The format should map what (type, value, severity, etc.) should be taken from each field.
    • * user_name is the Threat Command account ID
    • * delimiter is “,”
  7. (Optional) Confirm that the feed was configured:
    • Type: ioc_feeds show The feed is configured.

Check Point Troubleshooting

In R80.40, you can determine when the last IOCS were pulled and also force an IOC pull from Threat Command (before the scheduled time).

To determine when the last IOCS were pulled:

  • Run: cat /opt/CPsuite-R80.40/fw1/log/ioc_feeder.elg

To force an IOC pull:

  • Run: ioc_feeder -d -f - The IOCs are displayed.