Cisco Umbrella: Check Point Integration Setup Guide

Check Point and Cisco Umbrella Integration Overview

With integration between the Check Point Anti-Bot Software Blade and Cisco Umbrella, security officers and administrators are now able to extend protection against today's advanced threats to roaming laptops, tablets, or phones while also providing another layer of enforcement to a distributed corporate network.

This guide outlines how to configure Check Point to communicate with Umbrella so security events from Check Point are integrated into policies that can be applied to clients protected by your Cisco Umbrella.

This integration requires Checkpoint R80.40 or higher.

Cisco Umbrella and Check Point Integration: How does it work?

The Check Point Anti-Bot Software Blade appliance pushes threats that it has found—for example, domains that host malware, command and control for botnets, or phishing sites—to Cisco Umbrella for global enforcement.

Umbrella then validates the threat to ensure it can be added to a policy. If the information from the Check Point Anti-Bot Software Blade is confirmed to be a threat, the domain address is added to the Check Point Destination List as part of a security setting that can be applied to any Umbrella policy. That policy is immediately applied to any requests being made from devices assigned to that policy.

Going forward, Cisco Umbrella automatically parses Check Point alerts and adds malicious sites to the Check Point Destination List—extending Check Point protection to all remote users and devices, providing another layer of enforcement to your corporate network.

This is achieved through these simple setup steps:

Prerequisites

• A Check Point Anti-Bot Software Blade with access to the public Internet.
• Umbrella dashboard administrative rights.
• The Umbrella dashboard must have the Check Point integration enabled.

  Note: Check Point integration is included only in the Umbrella Platform package. If you do not have the Platform package and would like to have Check Point integration, please contact your Umbrella Account Manager. If you have the Platform package but do not see Check Point as an integration for your dashboard, please contact Umbrella Support.

Important: While Cisco Umbrella tries its best to validate and allow domains which are known to be generally safe (for example, Google and Salesforce), to avoid unwanted interruptions, we suggest adding any domains you never wish to have blocked to the Global Allow List—or other destination lists as per your policy.

Examples include:

• The home page for your organization. For example, mydomain.com
• Domains representing services you provide that might have both internal and external records. For example, mail.myservicedomain.com and portal.myotherservicedomain.com
• Lesser-known cloud applications you depend on heavily that Cisco Umbrella may not be aware of or include in their automatic domain validation. For example, localcloudservice.com

These domains should be added to the Global Allow List, which is found at Policies > Destination Lists in Umbrella.

Step 1: Umbrella Script and API Token Generation 

1. Log into the Umbrella dashboard as an Administrator.

2. Navigate to Settings > Integrations and click Check Point in the table to expand it.

3. Check Enable to generate your token/URL. This will generate and show your unique Umbrella token as a part of a script you will want to copy.

   

4. Click Save to enable the integration, then copy the entire script. You'll need to use it in the next step.

Step 2: Deploy the custom script with token on Check Point appliance

The next step is to deploy the custom Umbrella script on your Check Point appliance. The steps are to first copy and install the custom script, then enable it in the SmartDashboard.

1. To install the custom script, first, SSH into the Check Point Appliance as Admin:
   
   

2. Next, Launch Expert Mode by typing "expert" at the command line:
   
   

3. Then change the working directory to $FWDIR/bin:
   
   

4. Open a new file named ‘opendns’:
   
   
   
   
5. Then copy and paste the Umbrella script including your custom token in place of the <your Umbrella token> variable listed in the script:
   
   
   
   
6. Lastly, make the custom Umbrella script executable by running "chmod +x opendns" :
   
   

Note: If you upgrade or change blade versions you will need to repeat these steps on that new version.

Step 3. Build or edit a Check Point alert to post to the new script

1. We start by enabling the SmartDashboard to post the new script. Begin by logging in and launching the SmartDashboard:
   
   

2. Then open Global Properties:
   
   

3. Within Global Properties, open Log and Alert > Alerts and do the following:
   • Check Send popup alertscript and Run UserDefined script.
   • Define “opendns” in script fields for both.
4. Click Ok and then from SmartDashboard, save and install your updated policy.
   
   

Step 4: Testing the Integration and setting Check Point events to be blocked 

First, generate a test antibot blade event to appear in the Umbrella dashboard.

1. From any device on the network protected by your Check Point appliance, load the following URL in your browser:

   http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

2. Log into your Umbrella dashboard as an Administrator.

3. Navigate to Settings > Integrations and click Check Point in the table to expand it.

4. Click See Domains. This opens a window displaying the Check Point Destination List that should include "sc1.checkpoint.com." From that point on, a searchable list will begin to be populated and grow.
   
   

Note: This destination list can also be altered in case of a domain appearing here that you do not wish to enforce on. Simply click the (Delete) icon to remove the domain.

 

Observing Events Added to the Check Point Security Category in ‘Audit Mode’

  

The next step is to observe and audit the events added to your new Check Point security category.

The events from your Check Point appliance will begin to populate a specific destination list that can be applied to policies as a Check Point security category. By default, the destination list and the security category are in 'audit mode' and are not applied to any policies and will not result in any change to your existing Umbrella policies.

Note: ‘Audit’ mode can be enabled for however long is necessary based on your deployment profile and network configuration.

Review Destination List

You can review the Check Point Destination List at any time.

1. Navigate to Settings > Integrations.
2. Expand Check Point in the table and click See Domains.

Review Security Settings for a Policy

You can review the security setting that can be enabled for a policy at any time.

1. Navigate to Policies > Security Settings.
2. Click a security setting in the table to expand it and scroll to Integrations to locate the Check Point setting.
   
   
   You can also review integration information through the Security Settings Summary page.
   
   

Applying the Check Point Security Settings in Block Mode to a Policy for Managed Clients

  

Once you're ready to have these additional security threats enforced against by clients managed by Umbrella, simply change the security setting on an existing policy, or create a new policy that sits above your default policy to ensure it's enforced first.

1. Navigate to Policies > Security Settings and under Integrations, check Check Point and click Save.
   
   

Next, in the Policy wizard, add this security setting to the policy you're editing:

1. Navigate to Policies > Policy List.
2. Expand a policy. and lick Edit under Security Setting Applied.
3. In the Security Settings pull-down, select a security setting that includes the Check Point setting.
   
   

The shield icon under Integrations updates to blue.
     4. Click Set & Return.

Check Point domains contained within the security setting for Check Point will be blocked for those identities using the policy.

 

Reporting within Umbrella for Check Point Events

  

Reporting on Check Point Security Events

The Check Point Destination List is one of the security categories lists you can report on. Most or all of the reports use the Security Categories as a filter. For instance, you can filter security categories to only show Check Point related activity.

1. Navigate to Reporting > Activity Search and under Security Categories select Check Point to filter the report to only show the security category for Check Point.
   

   Note: If Check Point integration is disabled, it will not appear in the Security Categories filter.

   
   
2. Click Apply to see Check Point related activity for the time period selected in the report.

Reporting on When Domains Were Added to the Check Point Destination List

The Umbrella Admin Audit log will include events from the Check Point appliance as it adds domains to the destination list. These domains will appear to be added by a "Check Point account" label, under the "User" column of the Audit Log.

To find the Umbrella Admin Audit log, navigate to Reporting > Admin Audit Log. In order to report on when a domain was added, filter to only include Check Point changes by applying a Filter by Identities & Settings for the "Check Point Block List".

Once you run the report, you should see a list of domains added to the Check Point destination list.

 

Handling Unwanted Detections or False Positives

  

Managing an Allow List for Unwanted Detection

Although unlikely, it is possible that domains added automatically by your Check Point appliance could potentially trigger an unwanted block that would cause your users to be blocked from accessing particular websites. In a situation like this, we recommend that you add the domain(s) to an allow list, which takes precedence over all other types of block lists, including Security Settings. An allow list takes precedence over a block list when a domain is present in both.

There are two reasons why this approach is preferred. First, in case the Check Point appliance was to re-add the domain again after it was removed, the allow list safeguards against this causing further issues. Secondly, the allow list shows a historical record of problematic domains for later forensics or audit reports.

By default, there is a Global Allow List that is applied to all policies. Adding a domain to the Global Allow List results in the domain being allowed in all policies.

If the Check Point Security Setting in Block mode is only applied to a subset of your managed Umbrella identities (for instance, it's only applied to roaming computers and mobile devices), you can create a specific allow list for those identities or policies.

To create an allow list:

1. Navigate to Policies > Destination Lists, click the  (Add) icon.
2. Select Allow, and add your domain to the list.
3. Click Save.

Once the list has been saved, you can add it to an existing policy covering those clients that have been affected by the unwanted block.

Deleting Domains from the Check Point Destination List

Next to each domain name in the Check Point Destination List is a (Delete) icon. Deleting domains lets you clean up the Check Point Destination List in the event of an unwanted detection.

However, the delete is not permanent if the Check Point appliance resends the domain to Umbrella.

To delete a domain:

1. Navigate to Settings > Integrations, then click Check Point to expand it.
2. Click See Domains.
3. Search for the domain name you want to delete.
4. Click the (Delete) icon.
   
5. Click Close.
6. Click Save.

In the instance of an unwanted detection or false positive, we recommend creating an allow list in Umbrella immediately and then remediating the false positive within the Check Point Appliance. Later, you can remove the domain from the Check Point Destination List.