Check Point and Cisco Umbrella Integration Overview
With integration between the Check Point Anti-Bot Software Blade and Cisco Umbrella, security officers and administrators are now able to extend protection against today's advanced threats to roaming laptops, tablets, or phones while also providing another layer of enforcement to a distributed corporate network.
This guide outlines how to configure Check Point to communicate with Umbrella so security events from Check Point are integrated into policies that can be applied to clients protected by your Cisco Umbrella.
Cisco Umbrella and Check Point Integration: How does it work?
The Check Point Anti-Bot Software Blade appliance pushes threats that it has found—for example, domains that host malware, command and control for botnets, or phishing sites—to Cisco Umbrella for global enforcement.
Umbrella then validates the threat to ensure it can be added to a policy. If the information from the Check Point Anti-Bot Software Blade is confirmed to be a threat, the domain address is added to the Check Point Destination List as part of a security setting that can be applied to any Umbrella policy. That policy is immediately applied to any requests being made from devices assigned to that policy.
Going forward, Cisco Umbrella automatically parses Check Point alerts and adds malicious sites to the Check Point Destination List—extending Check Point protection to all remote users and devices, providing another layer of enforcement to your corporate network.
This is achieved through these simple setup steps:
- Enable the integration in Umbrella to generate an API token with a custom script.
- Deploy the API token and custom script on the Check Point appliance.
- Build/Edit a Check Point alert to post to this new script.
- Set Check Point events to be blocked within Umbrella.
- A Check Point Anti-Bot Software Blade with access to the public Internet.
- Umbrella dashboard administrative rights.
- The Umbrella dashboard must have the Check Point integration enabled.
Note: Check Point integration is only included in the Umbrella Platform package. If you do not have the Platform package and would like to have Check Point integration, please contact your Check Point representative. If you have the Platform package but do not see Check Point as an integration for your dashboard, please contact Technical Support.
Important: While Cisco Umbrella tries its best to validate and allow domains which are known to be generally safe (for example, Google and Salesforce), to avoid unwanted interruptions, we suggest adding any domains you never wish to have blocked to the Global Allow List—or other destination lists as per your policy.
- The home page for your organization. For example, mydomain.com
- Domains representing services you provide that might have both internal and external records. For example, mail.myservicedomain.com and portal.myotherservicedomain.com
- Lesser-known cloud applications you depend on heavily that Cisco Umbrella may not be aware of or include in their automatic domain validation. For example, localcloudservice.com
These domains should be added to the Global Allow List, which is found at Policies > Destination Lists in Umbrella https://dashboard2.opendns.com/#configuration/policysettings/domainlists
Step 1: Umbrella Script and API Token Generation
Log into the Umbrella dashboard as an Administrator.
Navigate to Settings > Integrations and click Check Point in the table to expand it.
Check Enable to generate your token/URL. This will generate and show your unique Umbrella token as a part of a script you will want to copy.
Click Save to enable the integration, then copy the entire script. You'll need to use it in the next step.
Step 2: Deploy the custom script with token on Check Point appliance
The next step is to deploy the custom Umbrella script on your Check Point appliance. The steps are to first copy and install the custom script, then enable it in the SmartDashboard.
- To install the custom script, first, SSH into the Check Point Appliance as Admin:
Next, Launch Expert Mode by typing "expert" at the command line:
Then change the working directory to $FWDIR/bin:
- Open a new file named ‘opendns’:
- Then copy and paste the Umbrella script including your custom token in place of the <your Umbrella token> variable listed in the script:
- Lastly, make the custom Umbrella script executable by running "chmod +x opendns" :
Note: If you upgrade or change blade versions you will need to repeat these steps on that new version.
Step 3. Build or edit a Check Point alert to post to the new script
- We start by enabling the SmartDashboard to post the new script. Begin by logging in and launching the SmartDashboard:
Then open Global Properties:
- Within Global Properties, open Log and Alert > Alerts and do the following:
- Check Send popup alertscript and Run UserDefined script.
- Define “opendns” in script fields for both.
- Click Ok and then from SmartDashboard, save and install your updated policy.
Step 4: Testing the Integration and setting Check Point events to be blocked
First, generate a test antibot blade event to appear in the Umbrella dashboard.
From any device on the network protected by your Check Point appliance, load the following URL in your browser:http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html
Log into your Umbrella dashboard as an Administrator.
Navigate to Settings > Integrations and click Check Point in the table to expand it.
Click See Domains. This opens a window displaying the Check Point Destination List that should include "sc1.checkpoint.com." From that point on, a searchable list will begin to be populated and grow.
Observing events added to the Check Point Security Category in ‘Audit mode’
The next step is to observe and audit the events added to your new Check Point security category.
The events from your Check Point appliance will begin to populate a specific destination list that can be applied to policies as a Check Point security category. By default, the destination list and the security category are in 'audit mode' and are not applied to any policies and will not result in any change to your existing Umbrella policies.
Note: ‘Audit’ mode can be enabled for however long is necessary based on your deployment profile and network configuration.
Review destination list
You can review the Check Point Destination List at any time.
- Navigate to Settings > Integrations.
- Expand Check Point in the table and click See Domains.
Review security settings for a policy
You can review the security setting that can be enabled for a policy at any time.
- Navigate to Policies > Security Categories.
- Click a policy in the table to expand it and scroll to Integrations to locate the Check Point setting.
When getting started, it's best to leave Check Point set to Allow (default) in order to ensure domains are correctly populating in an 'audit' mode.
Applying the Check Point Security Settings in Block Mode to a Policy for managed clients
Once you're ready to have these additional security threats enforced against by clients managed by Umbrella, simply change the security setting on an existing policy, or create a new policy that sits above your default policy to ensure it's enforced first.
First, create or update an existing Security Setting. Navigate to Policies > Security Categories. You can edit the Default Security Settings to enable the Check Point security category in block mode or create a new security setting with the Check Point security category enabled in block mode.
Simply click the icon to change the Check Point Security Setting from Allow to Block.
Next, in the Policy wizard, add a security setting to the policy you're editing:
- Navigate to Policies > Policy List.
- Expand a policy.
- Click the Select Policy Settings tab.
- In the Security Settings to enforce pull-down, select a security setting that includes the Block for Check Point setting.
- Click Save.
Note: It’s possible to edit your security settings from the Policy wizard if you so choose.
Complete and save the policy, and the Check Point domains contained within the security setting for Check Point will be blocked for those identities using the policy.
Reporting within Umbrella for Check Point Events
Reporting on Check Point Security Events
The Check Point Destination List is one of the security categories lists you can report on. Most or all of the reports use the Security Categories as a filter. For instance, to see the activity for website addresses that were blocked by the Check Point Destination List, go to Reporting > Activity Search. Apply a Security Categories filter for Check Point then run the report to see the activity for the time period selected in the report.
To run a report of the Security Activity associated with domains originating with the Check Point Appliance, go to Reporting > Activity Search and select the report to run only for that category.
Reporting on when domains were added to the Check Point Destination List
The Umbrella Admin Audit log will include events from the Check Point appliance as it adds domains to the destination list. These domains will appear to be added by a "Check Point account" label, under the "User" column of the Audit Log.
To find the Umbrella Admin Audit log, navigate to Reporting > Admin Audit Log. In order to report on when a domain was added, filter to only include Check Point changes by applying a Filter by Identities & Settings for the "Check Point Block List".
Once you run the report, you should see a list of domains added to the Check Point destination list.
Handling Unwanted Detections or False Positives
Managing an Allow List for Unwanted Detection
Although unlikely, it is possible that domains added automatically by your Check Point appliance could potentially trigger an unwanted block that would cause your users to be blocked from accessing particular websites. In a situation like this, we recommend that you add the domain(s) to an allow list, which takes precedence over all other types of block lists, including Security Settings. An allow list takes precedence over a block list when a domain is present in both.
There are two reasons why this approach is preferred. First, in case the Check Point appliance was to re-add the domain again after it was removed, the allow list safeguards against this causing further issues. Secondly, the allow list shows a historical record of problematic domains for later forensics or audit reports.
By default, there is a Global Allow List that is applied to all policies. Adding a domain to the Global Allow List results in the domain being allowed in all policies.
If the Check Point Security Setting in Block mode is only applied to a subset of your managed Umbrella identities (for instance, it's only applied to roaming computers and mobile devices), you can create a specific allow list for those identities or policies.
To create an allow list:
- Navigate to Policies > Destination Lists, click the Add icon and then select Add Allow List.
- Give the destination list a meaningful name and add your domain to the list.
- Click Save.
Once the list has been saved, you can add it to an existing policy covering those clients that have been affected by the unwanted block.
Deleting Domains from the Check Point Destination List
Next to each domain name in the Check Point Destination List is a (Delete) icon. Deleting domains lets you clean up the Check Point Destination List in the event of an unwanted detection.
However, the delete is not permanent if the Check Point appliance resends the domain to Umbrella.
To delete a domain:
- Navigate to Settings > Integrations, then click Check Point to expand it.
- Click See Domains.
- Search for the domain name you want to delete.
- Click the (Delete) icon.
- Click Close.
- Click Save.
In the instance of an unwanted detection or false positive, we recommend creating an allow list in Umbrella immediately and then remediating the false positive within the Check Point Appliance. Later, you can remove the domain from the Check Point Destination List.