Check Point Next-Generation Firewall

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

2) From Check Point Management Console:

3) From the Samurai MDR portal:

Connectivity Requirements

SourceDestinationPortsDescription
Check Point Management CenterSamurai Local CollectorTCP/514 (syslog)For log transmission
Samurai Local CollectorCheck Point Management CenterTCP/443 (https)Application Programming Interface (API) access

mceclip0.png Check point logs will be sent from the management server to the Samurai Local Collector via syslog.

Configure Syslog Settings

mceclip0.png The syslog exporter package must be installed. Dependent on your Check Point version you may need to update. To validate requirements review the Check Point documentation found at:

Once you have validated or updated your Check Point version follow the steps outlined in the Check Point documentation section Advanced Deployment:

Use the following parameters when completing the Advanced Deployment :

Field NameParameter
NameWhatever you want, however we suggest: NTT-LOGEXPORT
target-serverIP address of your Samurai Local Collector
target-port514
protocoltcp
formatdefault
read-modesemi-unified
export-attachment-idstrue

Table 1: Log Exporter

mceclip0.png An example of the command to run based on the table above is:

cp_log_export add name NTT-LOGEXPORT target-server <SAMURAI Local Collector IP> target-port 514 protocol tcp format default read-mode semi-unified export-attachment-ids true

Create an NTT Account 

When you Complete the Check Point Next-Generation Firewall Integration in the Samurai MDR portal you can choose to use a username/password or API key for authentication. Note the authentication method when following the steps below.

Follow the Check Point documentation to create an NTT Account with password authentication:

Follow the Check Point documentation to create an NTT Account with API key authentication:

mceclip0.png The URL provided directs you to R81 Check Point administrators guide, be sure to follow the steps for your specific version.

Use the following parameters when completing the steps:

Field NameParameter
NameWhatever you want, however we suggest: NTTUser
Authentication methodSelect either Check Point Password OR API Key
PasswordIf Authentication method is Password - Set the password in accordance with your policy, you will need this to complete the integration in the Samurai MDR portal.
Permission ProfileRead Only All (Check Point Documentation)

Table 2: NTT User creation

mceclip0.png If selecting API authentication then be sure to copy the key to Complete the Check Point Next-Generation Firewall Integration.

Defining Trusted Clients

In order to allow the NTT Account to access the Security Management Server via either username/password or API key it may be needed to configure Trusted Clients in the Check Point Management Console.

Follow the Check Point documentation when defining trusted clients:

General recommendation is to limit access to IPv4 Address and specifying the IP address of the Samurai Local Collector.

mceclip0.png IPv4 Address filtering do not always work on all Check Point Management Console versions and one therefore needs to resort to utilize Any instead.

Enable Packet Capture for IPS Protections

Follow the Check Point documentation to enable packet capture for specific profiles:

mceclip0.png The URL provided directs you to R81 Check Point Threat Prevention guide, be sure to follow the steps for your specific version.

mceclip0.png It is recommended to enable packet capture for all signatures that are active within the used profile.

Use the following parameters when completing the steps:

Field NameParameter
Logging / TrackLog
Capture PacketsEnabled (check box)

Table 3: IPS Protections

Enable Packet Capture for IPS Core Protections

Follow the Check Point documentation to enable packet packet for IPS Core Protections:

mceclip0.png The URL provided directs you to R81 Check Point Threat Prevention guide, be sure to follow the steps for your specific version.

mceclip0.png It is recommended to enable packet capture for all signatures that are active within the used profile.

Use the following parameters when completing the steps:

Field NameParameter
Logging / TrackLog
Capture PacketsEnabled (check box)
Protection ScopeApply to all HTTP traffic

Table 4: IPS Core Protections

Complete the Check Point Next-Generation Firewall Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Check Point Next-Generation Firewall

  5. You will be presented with the Local Collector IP Address on the left of the screen

  6. To configure Extended Telemetry Collection ensure it is enabled via the toggle

  7. Enter the following information:

    • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
    • Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
    • Devicename - an arbitrary name to identify the Check Point device
    • IP - IP address of host - this can include multiple separated by a comma (,)
    • API-key (optional) - if this is not specified will default to Username/Password
    • Domain (optional) - if the user is created in a specific domain, specify the domain
    • Username (optional) - enter a username if not using an API-Key
    • Password - specify password to use
    • Port - if you have changed the default port enter the port number, if not, we default to 443

  8. Click on Finish

mceclip0.png For general information on Integrations refer to the Integrations article.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.