Threat Response - Integration with CheckPoint

This document covers all aspects of Threat Response integration with Check Point firewalls. The Proofpoint Threat Response platform can integrate with Check Point in the following ways:

  • As an Enforcement Device

Check Point can be used to prevent network-based access to malicious hosts, or to restrict access to certain areas of the network for infected users. Threat Response can place suspicious hosts reported in security alerts into a Threat Response block list, which is then pushed up to the Check Point as an address group to be used when building policies.

The steps below detail the process for configuring Threat Response to map a local block list to an address group in a Check Point device. With the mapping in place, policies can be created on the CHECK POINT that reference the address group managed by Threat Response.

1. Create a Host List in Threat Response

The first step in enabling synchronization with Check Point is to create a Host List in Threat Response to map to an address group on the Check Point. Follow the steps below to create the Host List in Threat Response.

  1. Log in to Threat Response.
  2. Navigate to the Lists page.
  3. Click on the Host Lists sub-tab to manage your URL Lists.
  4. Click the blue Add (+) button next to Lists to bring up the New Host List panel.
  5. Set the following fields:
    • Name: <list_name>
    • Description: <list_description> (Optional)
    • Publish: <checked_or_unchecked> (Optional)
  6. Save changes.

Note

List Publishing enables remote polling of a list in Threat Response via HTTP/S. It is not required for a Check Point configuration.

2. Create a Check Point Device

In order to map a Threat Response list to your Check Point device, you must first tell Threat Response how to communicate with that device.

Creating a Service Account in Check Point

Check Point configuration requires that you create a special service account directly on the Check Point device for synchronization. The steps below detail this account creation.

  1. SSH in to Check Point (or use console connection)
  2. Run the following commands to create the threat response service account:
cpt1> add user threatresponse uid 0 homedir /home/threatresponse
cpt1> set user threatresponse password
cpt1> set user threatresponse shell /bin/bash
cpt1> save config

Note

This account must have the user ID (UID) 0, and must have its shell set to BASH.

Creating a Device in Threat Response

With the service account created, you can now create a device reference in Threat Response.

  • Log in to Threat Response.
  • Navigate to the Devices page
  • Click on the Network Devices sub-tab
  • Click the blue Add (+) button next to Network Devices to bring up the New Network Device panel

small

  • Set the following fields:
    • Enabled: enable the device after the configuration is saved
    • Name: provide device name
    • Description: provide device description
    • Hostname / IP: provide IP or hostname of the device
    • Authentication: you can choose between password authentication, where you need to provide username and password, or SSH key authentication, where you need to upload the SSH key to Threat Response
    • Update this device: Define the update schedule by choosing the appropriate option from the drop down menu
  • Save changes.

3. Map a List to the Check Point Device

Once your Check Point device has been created in Threat Response, you can begin mapping lists to it. These will appear as Address Sets or Prefix Lists in the Check Point.

Note

Once saved, Threat Response will automatically connect to the Check Point, and attempt to create the group on the device. If the group already exists, it will be overwritten with the items in the Threat Response list.

small

To map a list to a Check Point device:

  1. Log in to Threat Response.
  2. Navigate to the Devices page.
  3. Click on the Check Point device that you want to map a list to.
  4. In the Device Details panel, click the blue Add (+) button next to List Mappings to open the New Device Mapping panel.
  5. Select the appropriate list from the List dropdown.
  6. Input a Group Name to tell Threat Response what to name the address group in the Check Point.
  7. Save changes.