browse
Overview
The Cisco Umbrella integration with Check Point Anti-Bot Software Blade enables a Check Point device to send its Anti-Bot Software Blade alerts to Cisco Umbrella when the Blade discovers threats in the network traffic it inspects. Alerts received by Cisco Umbrella build a block list that can protect roaming laptops, tablets, and phones on networks not protected by the Check Point Anti-Bot Software Blade.
This guide provides instructions to configure a Check Point device to send Anti-Bot Software Blade alerts to Cisco Umbrella.
This integration was deprecated by Check Point in version R81.20 after it was initially released in R80.40.
How does this integration work?
The Cisco Umbrella integration with the Check Point Anti-Bot Software Blade appliance pushes threats that it has found (for example, domains that host malware, command and control for botnets, or phishing sites) to Cisco Umbrella for global enforcement.
Cisco Umbrella then validates the threat to ensure it can be added to a policy. If the information from the Check Point Anti-Bot Software Blade is confirmed to be a threat, the domain address is added to the Check Point Destination List as part of a security setting that can be applied to any Cisco Umbrella policy. That policy is immediately applied to any requests made from devices assigned to that policy.
Going forward, Cisco Umbrella automatically parses Check Point alerts and adds malicious sites to the Check Point Destination List. This extends Check Point protection to all remote users and devices and provides another layer of enforcement to your corporate network.
Configuration steps
Configuring the integration involves these steps:
- Enable the integration in Cisco Umbrella to generate an API token with a custom script.
- Deploy the API token and custom script on the Check Point appliance.
- Build/Edit a Check Point alert to post to this new script.
- Set Check Point events to be blocked within Cisco Umbrella.
Prerequisites
- A Check Point device with the Anti-Bot Software Blade
- Check Point software version R80.40 or higher
- Ensure the Check Point device can make outbound HTTP requests to "https://s-platform.api.opendns.com".
- A Cisco Umbrella package like DNS Essentials, DNS Advantage, SIG Essentials, or SIG Advantage.
- Cisco Umbrella Dashboard administrative rights.
Note: The Check Point integration is included only in Cisco Umbrella packages like DNS Essentials, DNS Advantage, SIG Essentials, or SIG Advantage. If you do not have one of these packages and would like to have the Check Point integration, please contact your Cisco Umbrella Account Manager. If you have the correct Cisco Umbrella package but do not see Check Point as an integration for your dashboard, please contact Cisco Umbrella Support.
Important: To avoid unwanted service interruptions, we recommend adding mission-critical domain names that should never be blocked (for example, google.com or salesforce.com) to the Global Allow List (or other destination lists as per your policy) prior to configuring the integration.
Mission-critical domains may include:
- The home page for your organization.
- Domains representing services you provide that might have both internal and external records. For example, "mail.myservicedomain.com" and "portal.myotherservicedomain.com".
- Lesser-known cloud-based applications you depend on that Cisco Umbrella may not include in automatic domain validation. For example, "localcloudservice.com".
These domains should be added to the Global Allow List, which is found under Policies > Destination Lists in Cisco Umbrella.
Step 1: Umbrella script and API token generation
-
Log into the Cisco Umbrella Dashboard as an Administrator.
-
Navigate to Policies > Policy Components > Integrations and select "Check Point" in the table to expand it.
-
Select the Enable box.
- Copy the entire script, starting from the line with:
You will use the script in later steps.#!/bin/bash
-
Select Save to enable the integration.
Step 2: Deploy the custom script on the Check Point appliance
The next steps are to install the custom Cisco Umbrella script on your Check Point appliance, and then enable it in the SmartDashboard.
- To install the custom script, SSH into the Check Point Appliance as an admin:
-
Next, launch "Expert Mode" by typing "expert" in the command line:
-
Then change the working directory to
$FWDIR/bin
: - Open a new file named "opendns" using a text editor (in the example below, we use the "vi" editor):
- Paste the Cisco Umbrella script into the file, then save the file and exit your editor:
- Make the custom Umbrella script executable by running
chmod +x opendns
:
Note: If you upgrade or change Blade versions, then you will need to repeat these steps on that new version.
Step 3. Build or edit a Check Point alert to post to the new script
- Enable the SmartDashboard to post the new script by logging in and launching the SmartDashboard:
-
Open Global Properties:
- Within Global Properties, open Log and Alert > Alerts and do the following:
- Select "Send popup alertscript" and "Run UserDefined script."
- Define “opendns” in the script fields for both.
- Select OK, and then from SmartDashboard, save and install your updated policy.
Step 4: Testing the Integration and setting Check Point events to be blocked
First, generate a test anti-bot blade event to appear in the Cisco Umbrella Dashboard:
-
From any device on the network protected by your Check Point appliance, load the following URL in your browser: "http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"
-
Log into the Cisco Umbrella dashboard as an administrator.
-
Navigate to Policies > Policy Components > Integrations and select "Check Point" in the table to expand it.
-
Select See Domains. This opens a window displaying the Check Point Destination List that should include "sc1.checkpoint.com." From that point on, a searchable list will begin to be populated and grow.
Observing events added to the Check Point security category in "audit mode"
The next step is to observe and audit the events added to your new Check Point security category.
The events from your Check Point appliance will begin to populate a specific destination list that can be applied to policies as a Check Point security category. By default, the destination list and the security category are in "audit mode" and are not applied to any policies and will not result in any change to your existing Cisco Umbrella policies.
Note: ‘"Audit mode" can be enabled for however long is necessary based on your deployment profile and network configuration.
Review Destination List
You can review the Check Point Destination List at any time in Cisco Umbrella:
- Navigate to Policies > Policy Components > Integrations.
- Expand Check Point in the table and select "See Domains."
Review Security Settings for a policy
You can review the security settings that can be enabled for a policy at any time in Cisco Umbrella:
- Navigate to Policies > Policy Components > Security Settings.
- Click a security setting in the table to expand it.
- Scroll to the Integrations section and expand the section to display the Check Point integration.
- Select the box for the Check Point integration, then select Save.
You can also review integration information through the Security Settings Summary page:
Applying the Check Point Security Settings in "Block mode" to a policy for managed clients
Once you're ready to have these additional security threats enforced by clients managed by Cisco Umbrella, change the security setting on an existing policy or create a new policy that sits above your default policy to ensure that it is enforced first.
- Ensure that the Check Point integration is still enabled as done in the previous section. Navigate to Policies > Policy Components > Security Settings and open the relevant setting.
- Under Integrations, verify that the "Check Point" box is selected. If not, select the box and select Save.
Next, in the Cisco Umbrella Policy wizard, add this security setting to a policy you're editing:
- Navigate to a policy: either Policies > DNS Policies or Policies > Web Policy.
- Expand a policy and under Security Setting Applied (DNS Policies) or Security Settings (Web Policy), select "Edit."
- In the Security Settings dropdown, select a security setting that includes the Check Point setting.
The shield icon under Integrations updates to blue.
4. Select Set & Return (DNS Policies) or Save (Web Policy).
Check Point domains contained within the security setting for Check Point will be blocked for those identities using the policy.
Reporting within Umbrella for Check Point Events
Reporting on Check Point Security Events
The Check Point Destination List is one of the security categories available for reports. Most or all of the reports use the Security Categories as a filter. For instance, you can filter security categories to only show Check Point-related activity.
- Navigate to Reporting > Core Reports > Activity Search and under Security Categories, select "Check Point" to filter the report to only show the security category for Check Point.
Note: If the Check Point integration is disabled, it will not appear in the Security Categories filter.
- Select Apply to see Check Point-related activity for the period selected in the report.
Reporting on when domains were added to the Check Point destination list
The Cisco Umbrella Admin Audit log will include events from the Check Point appliance as it adds domains to the destination list. These domains will appear to be added by a "Check Point account" label, under the "User" column of the Audit log.
To find the Umbrella Admin Audit log, navigate to Reporting > Admin Audit Log. To report on when a domain was added, filter to only include Check Point changes by applying a Filter by Identities & Settings filter for the "Check Point Block List".
Once you run the report, you should see a list of domains added to the Check Point destination list.
Handling unwanted detections or false positives
Managing an allow list for unwanted detection
Although unlikely, it is possible that domains added automatically by your Check Point appliance could trigger an unwanted block that would cause your users to be blocked from accessing particular websites. In a situation like this, Cisco Umbrella recommends adding the domain(s) to an allow list, which takes precedence over all other types of block lists, including Security Settings. An allow list takes precedence over a block list when a domain is present in both.
There are two reasons why this approach is preferred:
- First, in case the Check Point appliance was to re-add the domain again after it was removed, the allow list safeguards against this causing further issues.
- Second, the allow list shows a historical record of problematic domains for later forensics or audit reports.
By default, there is a Global Allow List that is applied to all policies. Adding a domain to the Global Allow List results in the domain being allowed in all policies.
If the Check Point Security Setting in Block mode is only applied to a subset of your managed Cisco Umbrella identities (for instance, it's only applied to roaming computers and mobile devices), you can create a specific allow list for those identities or policies.
To create an allow list:
- Navigate to Policies > Destination Lists, and select the "Add" icon.
- Select Allow, and add your domain to the list.
- Select Save.
Once the list has been saved, you can add it to an existing policy covering those clients that have been affected by the unwanted block.
Deleting domains from the Check Point destination list
Next to each domain name in the Check Point destination list is a (Delete) icon. Deleting domains lets you clean up the Check Point destination list in the event of unwanted detection.
However, the delete is not permanent if the Check Point appliance resends the domain to Cisco Umbrella.
To delete a domain:
- Navigate to Settings > Integrations, then select "Check Point" to expand it.
- Select See Domains.
- Search for the domain name you want to delete.
- Select the ("Delete") icon.
- Select Close.
- Select Save.
If an unwanted detection or false positive, Cisco Umbrella recommends creating an allow list in Cisco Umbrella immediately and then remediating the false positive within the Check Point Appliance. Later, you can remove the domain from the Check Point destination list.