Check Point Next-Generation Firewall
Samurai [Local] Collector | Samurai [Cloud] Collector |
---|---|
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From Check Point Management Console:
- Configure Syslog Settings
- Create an NTT Account
- Defining Trusted Clients
- Enable Packet Capture for IPS Protections
- Enable Packet Capture for IPS Core Protections
3) From the Samurai MDR portal:
Connectivity Requirements
Source | Destination | Ports | Description |
---|---|---|---|
Check Point Management Center | Samurai Local Collector | TCP/514 (syslog) | For log transmission |
Samurai Local Collector | Check Point Management Center | TCP/443 (https) | Application Programming Interface (API) access |
Configure Syslog Settings
Once you have validated or updated your Check Point version follow the steps outlined in the Check Point documentation section Advanced Deployment:
Use the following parameters when completing the Advanced Deployment :
Field Name | Parameter |
---|---|
Name | Whatever you want, however we suggest: NTT-LOGEXPORT |
target-server | IP address of your Samurai Local Collector |
target-port | 514 |
protocol | tcp |
format | default |
read-mode | semi-unified |
export-attachment-ids | true |
cp_log_export add name NTT-LOGEXPORT target-server <SAMURAI Local Collector IP> target-port 514 protocol tcp format default read-mode semi-unified export-attachment-ids true
Create an NTT Account
When you Complete the Check Point Next-Generation Firewall Integration in the Samurai MDR portal you can choose to use a username/password or API key for authentication. Note the authentication method when following the steps below.
Follow the Check Point documentation to create an NTT Account with password authentication:
Follow the Check Point documentation to create an NTT Account with API key authentication:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Name | Whatever you want, however we suggest: NTTUser |
Authentication method | Select either Check Point Password OR API Key |
Password | If Authentication method is Password - Set the password in accordance with your policy, you will need this to complete the integration in the Samurai MDR portal. |
Permission Profile | Read Only All (Check Point Documentation) |
Defining Trusted Clients
In order to allow the NTT Account to access the Security Management Server via either username/password or API key it may be needed to configure Trusted Clients in the Check Point Management Console.
Follow the Check Point documentation when defining trusted clients:
General recommendation is to limit access to IPv4 Address and specifying the IP address of the Samurai Local Collector.
Enable Packet Capture for IPS Protections
Follow the Check Point documentation to enable packet capture for specific profiles:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Logging / Track | Log |
Capture Packets | Enabled (check box) |
Enable Packet Capture for IPS Core Protections
Follow the Check Point documentation to enable packet packet for IPS Core Protections:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Logging / Track | Log |
Capture Packets | Enabled (check box) |
Protection Scope | Apply to all HTTP traffic |
Complete the Check Point Next-Generation Firewall Integration
Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Check Point Next-Generation Firewall
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information:
- Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
- Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
- Devicename - an arbitrary name to identify the Check Point device
- IP - IP address of host - this can include multiple separated by a comma (,)
- API-key (optional) - if this is not specified will default to Username/Password
- Domain (optional) - if the user is created in a specific domain, specify the domain
- Username (optional) - enter a username if not using an API-Key
- Password - specify password to use
- Port - if you have changed the default port enter the port number, if not, we default to 443
Click on Finish
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.