This integration collects events generated by Checkpoint to test the efficacy and configuration of the security control using Security Validation jobs.
Use this document to configure the integration using one of the following methods:
- MSI (Supported and recommended for new integration configurations)
- Legacy (Supported for existing integration configurations)
Configure MSI Integration
This document covers the the MSI method of creating an integration. This method is the recommended approach for configuring new integrations in Security Validation.
API Calls
| API | Usage |
|---|---|
/web_api/login |
Authentication |
/web_api/logout |
End an authenticated session |
/web_api/show-logs |
Query events to return |
Supported Versions
Checkpoint version R80 and above
Before You Begin
To configure this integration, you need:
- The hostname of your Checkpoint instance
- One of the following:
- A valid username and password for a user with permissions to use the API endpoints described in the previous step
- An Api Key for an administrator account
To generate an API Key
- Login to the Checkpoint SmartConsole, click Manage & Settings > Permissions & Administrators > Administrators.
- Click the New icon in the top menu.
- In the New Administrator window, give the administrator a name and select API Key as the Authentication Method.
- Click Generate API key.
- From the new API key window, click Copy key to Clipboard, and paste it to a safe location for use in the integration configuration.
- Click OK.
- Publish the SmartConsole session.
Configure Security Validation
-
Go to Settings > Integrations.
- From the Integrations table, click Add Integration > Checkpoint.
You can add this as either a Direct or Remote Integration.
- Enter a meaningful Integration Name.
- Optional: From the Proxy drop-down, choose a proxy profile if one is available. If one isn't available and all outbound connections go through a proxy, first, set up a Proxy Rule.
- Optional: Change the HttpProtocols value to determine what protocol is used for requests (Https or Http).
- Enter the Host for the Checkpoint instance.
- Enter a Port value. The default is 443.
- Enter the Domain value for the Checkpoint instance.
- Select a CheckpointAuthMethod and then choose an option:
- If you chose Basic, enter the Username and Password for the account with permissions to use the API endpoints.
- If you chose Apikey, enter the Api Key that you generated.
- Optional: Check Verify Ssl if you want this verification done for requests to an upstream server.
- Optional: Change the Timeout value if you want a different frequency of requests to an upstream server. The default is 30 (seconds).
- Optional: Add any Log Servers, if needed.
- Optional: Modify Queries, as needed. A default IP Query is provided.
- Optional: Select an option from the drop-down if you want to change the CheckpointTimeFrame.
- Optional: Modify the Page Size to change the request for the upstream server. The default is 100.
- Optional: Modify the FieldMapModel values, as necessary.
- Each field map box can hold a JSON-formatted comma-separated list of columns returned by the API to be considered for each field when translating into the normalized event object format. Example: description could be configured to be 'msg_s' or 'SyslogMessage' in some environments. The field map tries both if set to: ['msg_s','SyslogMessage'] and whichever matches first is the column that is used.
- When configuring an integration in Security Validation, you can assign additional host values in the Field Map settings. If none of the assigned fields return a valid host name, Network Actions may miss matched events from the third-party technology. Additional hosts values helps ensure the likelihood of a match between the two environments.
-
Optional: Expand Advanced options and update the information as necessary.
- Update Query Time and Delay Time.The Query time is the amount of time (minutes) before and after the query runs that the platform looks for events, while the Delay time is the amount of time (minutes) that the platform waits to run the first query after a Job Action starts. For example, you configure your integration with the following values: Query time = 5, Query interval = 30 seconds, and Delay time = 0. When a Job Actions starts at 12:00:00, the first time the query runs, the platform looks for events from 11:55:00 to 12:00:00. Then 30 seconds later, it looks for events from 11:55:30 to 12:00:30. This interval continues, with the last query looking from 12:00:00 to 12:05:00. If you instead configured the Delay time to equal 10, it would run the same query, but it wouldn't start that query until 12:10:00.If your monitors are set to run more frequently than the query time, this configuration impacts the pass/fail results for AEDA monitors.
- Update Query Interval (seconds).
- If supported by your integration, configure correlation queries:
- Select Correlation Query Enabled and fill in the Correlation Query.
- Modify the Correlation Query Interval, if necessary (minutes).
- Select
Discover network devices automatically, the default and recommended option.If unselected, reported events won't include product information for any matching network security technology.
- Select Save Suspicious Events.
- Modify the Event Time Adjustment (seconds). The default is 0.
Modify the Limit value if you need to prevent a flood of results. This value is set to 10000 by default. This limit applies to both events and alerts individually, so if you set it to 10, you can still see a maximum of 10 events and 10 alerts.
- Update Query Time and Delay Time.
-
Click Save.
Verify connectivity
- Go to Settings > Integrations.
- From the Direct Integrations table, click
> Test to verify that:
- The Director can communicate with the integration host on the port and protocol specified.
- The integration credentials are valid and working.
For more information on setting up queries, see Manage Integrations.
Configure Legacy Integration
This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.
Update Check Point
Check Point requires several initial configuration steps. For help completing the configuration, please review Check Point's documentation and contact their support team as necessary.
Prerequisites
Before starting the update, gather this information:
- Identify your Check Point version.
- Determine where the logs are being sent (Check Point Management or to a separate log server).
- Download the Check Point
opsec_pull_certutility. You can find this utility on the Check Point Support Center site.
To configure Check Point (overview)
- Locate and read the Check Point OPSEC LEA documentation. You can find this on the Check Point Support Center site.
- Download the
OPSEC SDK 6.1 tar.gzfile. -
Create the OPSEC application.
- Use the Check Point SmartConsole or the desired CMA/Domain on the Provider.
-
Name the new OPSEC application VerodinLEA.
You can use any name, but VerodinLEA is recommended by convention.The Security Validation integration with Check Point currently only supports the sslca auth method. - Consult the Check Point documentation for more information.
-
Create an OPSEC application certificate in the Check Point SmartConsole using the command line.
-
Run the following command in the Check Point
opsec_pull_certutility with the correct information from the customer:opsec_pull_cert -h <smartcenter ip> -n <LEA Opsec Application Name> -p <activation key> -o c:\cert\opsec.p12 -
Capture the one-time password you enter; this will be used when you create an OPSEC LEA connection and pull the p12 authentication file.
The password must not include any of the following special characters: exclamation (!), circumflex accent (^), tilde (~), grave accent (`), quotation ("), or apostrophe ('). - Consult the Check Point documentation for more information.
-
-
After the OPSEC application initializes, note the opsec_sic_name that is generated. You will need this opsec_sic_name and the LEA server's opsec_sic_name.
- The Server OPSEC SIC name and the OPSEC Sic name are tied to the certificate created in step 4 above.
-
You can also get the OPSEC SIC name and LEA Server OPSEC SIC name by running this command in Expert mode from the management server. Look for the SmartConsole SIC ID in the results to get the correct name:
cpca_client lscert -stat Valid -kind SIC
-
Install the database.
- In the SmartConsole, under Policy, install the database for your Management Server.
- Consult the Check Point documentation for more information.
Update the Validation Platform
Prerequisites
Information to gather before you start:
- Ensure that you are running CentOS 7.0 or newer.
- Have the OPSEC SDK Dependency file (Check_Point_OPSEC_SDK_6.1_linux50.tar.gz). See Check Point's knowledge base for more information.
-
Have an active, configured OPSEC LEA Application for use with the Validation Platform.
- Obtain OPSEC authentication file.
- Identify the LEA Server IP and Port (this defaults to 18184).
- Identify the OPSEC SIC and LEA Server OPSEC SIC names you noted in Step 5 above.
Configuration
To add the Check Point integration
-
Go to Settings > Integrations.
-
Click Add Integration > Check Point.
- Browse for and select the OPSEC SDK 6.1 tar.gz file. When selected, the file will immediately start uploading.
-
Enter IP, Port, OPSEC SIC Name, and LEA Server OPSEC SIC Name. See Check Point Firewall Integration
- In the OPSEC SIC Name field, enter the OPSEC Application name you created in Step 3 in To configure Check Point (overview)
- In the LEA Server OPSEC SIC Name field, enter the SmartConsole SID ID you noted in Step 5 in To configure Check Point (overview).
- Browse for and select the OPSEC Key (.p12 authentication) file.
-
Expand Advanced options.
-
Modify the Query Interval and Event Time Adjustment, if necessary.
-
(Optional) Assign a Name.
-
(Optional) Choose Yes to save suspicious events.
-
Click Submit.
Verify connectivity
To verify connectivity to Check Point
Click Test to verify that the Director can communicate with the Check Point host using the provided setup information.