Check Point Next-Generation Firewall

Samurai [Local] CollectorSamurai [Cloud] Collector
Picture1.svg

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

2) From Check Point Management Console:

3) From the Samurai MDR portal:

Connectivity Requirements

SourceDestinationPortsDescription
Check Point Management CenterSamurai Local CollectorTCP/514 (syslog)For log transmission
Samurai Local CollectorCheck Point Management CenterTCP/443 (https)Application Programming Interface (API) access

Configure Syslog Settings

Once you have validated or updated your Check Point version follow the steps outlined in the Check Point documentation section Advanced Deployment:

Use the following parameters when completing the Advanced Deployment :

Field NameParameter
NameWhatever you want, however we suggest: NTT-LOGEXPORT
target-serverIP address of your Samurai Local Collector
target-port514
protocoltcp
formatdefault
read-modesemi-unified
export-attachment-idstrue
cp_log_export add name NTT-LOGEXPORT target-server <SAMURAI Local Collector IP> target-port 514 protocol tcp format default read-mode semi-unified export-attachment-ids true

Create an NTT Account 

When you Complete the Check Point Next-Generation Firewall Integration in the Samurai MDR portal you can choose to use a username/password or API key for authentication. Note the authentication method when following the steps below.

Follow the Check Point documentation to create an NTT Account with password authentication:

Follow the Check Point documentation to create an NTT Account with API key authentication:

Use the following parameters when completing the steps:

Field NameParameter
NameWhatever you want, however we suggest: NTTUser
Authentication methodSelect either Check Point Password OR API Key
PasswordIf Authentication method is Password - Set the password in accordance with your policy, you will need this to complete the integration in the Samurai MDR portal.
Permission ProfileRead Only All (Check Point Documentation)

Defining Trusted Clients

In order to allow the NTT Account to access the Security Management Server via either username/password or API key it may be needed to configure Trusted Clients in the Check Point Management Console.

Follow the Check Point documentation when defining trusted clients:

General recommendation is to limit access to IPv4 Address and specifying the IP address of the Samurai Local Collector.

Enable Packet Capture for IPS Protections

Follow the Check Point documentation to enable packet capture for specific profiles:

Use the following parameters when completing the steps:

Field NameParameter
Logging / TrackLog
Capture PacketsEnabled (check box)

Enable Packet Capture for IPS Core Protections

Follow the Check Point documentation to enable packet packet for IPS Core Protections:

Use the following parameters when completing the steps:

Field NameParameter
Logging / TrackLog
Capture PacketsEnabled (check box)
Protection ScopeApply to all HTTP traffic

Complete the Check Point Next-Generation Firewall Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Check Point Next-Generation Firewall

  5. You will be presented with the Local Collector IP Address on the left of the screen

  6. To configure Extended Telemetry Collection ensure it is enabled via the toggle

  7. Enter the following information:

    • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
    • Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
    • Devicename - an arbitrary name to identify the Check Point device
    • IP - IP address of host - this can include multiple separated by a comma (,)
    • API-key (optional) - if this is not specified will default to Username/Password
    • Domain (optional) - if the user is created in a specific domain, specify the domain
    • Username (optional) - enter a username if not using an API-Key
    • Password - specify password to use
    • Port - if you have changed the default port enter the port number, if not, we default to 443
  8. Click on Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.