Samurai [Local] Collector | Samurai [Cloud] Collector | Samurai [Cloud Native] Collector |
---|---|---|
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From Check Point Management Console:
- Configure Syslog Settings
- Create an NTT Account
- Defining Trusted Clients
- Enable Packet Capture for IPS Protections
- Enable Packet Capture for IPS Core Protections
3) From the Samurai MDR portal:
Connectivity Requirements
Source | Destination | Ports | Description |
---|---|---|---|
Check Point Management Center | Samurai Local Collector | TCP/514 (syslog) | For log transmission |
Samurai Local Collector | Check Point Management Center | TCP/443 (https) | Application Programming Interface (API) access |
Check point logs will be sent from the management server to the Samurai Local Collector via syslog.
Configure Syslog Settings
The syslog exporter package must be installed. Dependent on your Check Point version you may need to update. To validate requirements review the Check Point documentation found at:
Once you have validated or updated your Check Point version follow the steps outlined in the Check Point documentation section Advanced Deployment:
Use the following parameters when completing the Advanced Deployment :
Field Name | Parameter |
---|---|
Name | Whatever you want, however we suggest: NTT-LOGEXPORT |
target-server | IP address of your Samurai Local Collector |
target-port | 514 |
protocol | tcp |
format | default |
read-mode | semi-unified |
export-attachment-ids | true |
Table 1: Log Exporter
An example of the command to run based on the table above is:
cp_log_export add name NTT-LOGEXPORT target-server <SAMURAI Local Collector IP> target-port 514 protocol tcp format default read-mode semi-unified export-attachment-ids true
Create an NTT Account
When you Complete the Check Point Next-Generation Firewall Integration in the Samurai MDR portal you can choose to use a username/password or API key for authentication. Note the authentication method when following the steps below.
Follow the Check Point documentation to create an NTT Account with password authentication:
Follow the Check Point documentation to create an NTT Account with API key authentication:
The URL provided directs you to R81 Check Point administrators guide, be sure to follow the steps for your specific version.
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Name | Whatever you want, however we suggest: NTTUser |
Authentication method | Select either Check Point Password OR API Key |
Password | If Authentication method is Password - Set the password in accordance with your policy, you will need this to complete the integration in the Samurai MDR portal. |
Permission Profile | Read Only All (Check Point Documentation) |
Table 2: NTT User creation
If selecting API authentication then be sure to copy the key to Complete the Check Point Next-Generation Firewall Integration.
Defining Trusted Clients
In order to allow the NTT Account to access the Security Management Server via either username/password or API key it may be needed to configure Trusted Clients in the Check Point Management Console.
Follow the Check Point documentation when defining trusted clients:
General recommendation is to limit access to IPv4 Address and specifying the IP address of the Samurai Local Collector.
IPv4 Address filtering do not always work on all Check Point Management Console versions and one therefore needs to resort to utilize Any instead.
Enable Packet Capture for IPS Protections
Follow the Check Point documentation to enable packet capture for specific profiles:
The URL provided directs you to R81 Check Point Threat Prevention guide, be sure to follow the steps for your specific version.
It is recommended to enable packet capture for all signatures that are active within the used profile.
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Logging / Track | Log |
Capture Packets | Enabled (check box) |
Table 3: IPS Protections
Enable Packet Capture for IPS Core Protections
Follow the Check Point documentation to enable packet packet for IPS Core Protections:
The URL provided directs you to R81 Check Point Threat Prevention guide, be sure to follow the steps for your specific version.
It is recommended to enable packet capture for all signatures that are active within the used profile.
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Logging / Track | Log |
Capture Packets | Enabled (check box) |
Protection Scope | Apply to all HTTP traffic |
Table 4: IPS Core Protections
Complete the Check Point Next-Generation Firewall Integration
Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Check Point Next-Generation Firewall
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information:
- Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
- Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
- Devicename - an arbitrary name to identify the Check Point device
- IP - IP address of host - this can include multiple separated by a comma (,)
- API-key (optional) - if this is not specified will default to Username/Password
- Domain (optional) - if the user is created in a specific domain, specify the domain
- Username (optional) - enter a username if not using an API-Key
- Password - specify password to use
- Port - if you have changed the default port enter the port number, if not, we default to 443
Click on Finish
For general information on Integrations refer to the Integrations article.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.