Check Point Next-Generation Firewall

Samurai [Local] Collector	Samurai [Cloud] Collector

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

Connectivity Requirements

2) From Check Point Management Console:

Configure Syslog Settings
Create an NTT Account
Defining Trusted Clients
Enable Packet Capture for IPS Protections
Enable Packet Capture for IPS Core Protections

3) From the Samurai MDR portal:

Complete the Check Point Next-Generation Firewall Integration

Connectivity Requirements

Source	Destination	Ports	Description
Check Point Management Center	Samurai Local Collector	TCP/514 (syslog)	For log transmission
Samurai Local Collector	Check Point Management Center	TCP/443 (https)	Application Programming Interface (API) access

Check point logs will be sent from the management server to the Samurai Local Collector via syslog.

Configure Syslog Settings

The syslog exporter package must be installed. Dependent on your Check Point version you may need to update. To validate requirements review the Check Point documentation found at:*

Log Exporter - Check Point Log Export

Once you have validated or updated your Check Point version follow the steps outlined in the Check Point documentation section Advanced Deployment:

Log Exporter - Check Point Log Export - Advanced Deployment

Use the following parameters when completing the Advanced Deployment :

Field Name	Parameter
Name	Whatever you want, however we suggest: NTT-LOGEXPORT
target-server	IP address of your Samurai Local Collector
target-port	514
protocol	tcp
format	default
read-mode	semi-unified
export-attachment-ids	true

An example of the command to run based on the table above is found below.

cp_log_export add name NTT-LOGEXPORT target-server <SAMURAI Local Collector IP> target-port 514 protocol tcp format default read-mode semi-unified export-attachment-ids true

Create an NTT Account

When you Complete the Check Point Next-Generation Firewall Integration in the Samurai MDR portal you can choose to use a username/password or API key for authentication. Note the authentication method when following the steps below.

Follow the Check Point documentation to create an NTT Account with password authentication:

Creating an Administrator Account with Check Point Password Authentication

Follow the Check Point documentation to create an NTT Account with API key authentication:

Creating an Administrator Account with API Key Authentication

The URL provided directs you to R81 Check Point administrators guide, be sure to follow the steps for your specific version.

Use the following parameters when completing the steps:

Field Name	Parameter
Name	Whatever you want, however we suggest: NTTUser
Authentication method	Select either Check Point Password OR API Key
Password	If Authentication method is Password - Set the password in accordance with your policy, you will need this to complete the integration in the Samurai MDR portal.
Permission Profile	Read Only All (Check Point Documentation)

If selecting API authentication then be sure to copy the key to Complete the Check Point Next-Generation Firewall Integration.

Defining Trusted Clients

In order to allow the NTT Account to access the Security Management Server via either username/password or API key it may be needed to configure Trusted Clients in the Check Point Management Console.

Follow the Check Point documentation when defining trusted clients:

Defining Trusted Clients

General recommendation is to limit access to IPv4 Address and specifying the IP address of the Samurai Local Collector.

IPv4 Address filtering do not always work on all Check Point Management Console versions and one therefore needs to resort to utilize Any instead.

Enable Packet Capture for IPS Protections

Follow the Check Point documentation to enable packet capture for specific profiles:

Activating Protections for a Specified Profile

The URL provided directs you to R81 Check Point Threat Prevention guide, be sure to follow the steps for your specific version.

It is recommended to enable packet capture for all signatures that are active within the used profile.

Use the following parameters when completing the steps:

Field Name	Parameter
Logging / Track	Log
Capture Packets	Enabled (check box)

Enable Packet Capture for IPS Core Protections

Follow the Check Point documentation to enable packet packet for IPS Core Protections:

Editing Core IPS Protections

The URL provided directs you to R81 Check Point Threat Prevention guide, be sure to follow the steps for your specific version.

It is recommended to enable packet capture for all signatures that are active within the used profile.

Use the following parameters when completing the steps:

Field Name	Parameter
Logging / Track	Log
Capture Packets	Enabled (check box)
Protection Scope	Apply to all HTTP traffic

Complete the Check Point Next-Generation Firewall Integration

Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Check Point Next-Generation Firewall
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information:
- Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
- Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
- Devicename - an arbitrary name to identify the Check Point device
- IP - IP address of host - this can include multiple separated by a comma (,)
- API-key (optional) - if this is not specified will default to Username/Password
- Domain (optional) - if the user is created in a specific domain, specify the domain
- Username (optional) - enter a username if not using an API-Key
- Password - specify password to use
- Port - if you have changed the default port enter the port number, if not, we default to 443
Click on Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.