Check Point Next Generation Threat Prevention integration

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Check Point Next Generation Threat Prevention integration

    This document outlines the integration of Check Point Next Generation Threat Prevention (NGTP) with ServiceNow® Security Incident Response (SIR). This integration enables security incident analysts to block malicious IP addresses, URLs, and domains effectively through a Block Request List, enhancing security incident management.

    Show full answer Show less

    Key Features

    • Custom Intelligence Feeds: Integrates third-party cyber intelligence directly into the Check Point Gateway for enforcement by Anti-Virus and Anti-Bot blades.
    • Dynamic Block List Management: Block List entries are automatically updated at configured intervals without requiring firewall configuration changes.
    • Flexible Block Lists: Ability to create multiple Block Lists applicable to various Check Point Gateways.
    • Detailed Reporting: Reports on blocked sites categorized by phishing, malware, and allow-listed sites.
    • Entry Tagging: Tagging Block List entries with observable types (URL, domain, IP address) for better tracking.
    • Expiration Management: Configurable expiration for Block List entries to manage size and relevance.
    • Linking to Security Incidents: Connects Block List entries to observable records and relevant security incidents for comprehensive threat intelligence.

    Key Outcomes

    By implementing this integration, customers can effectively manage and mitigate threats in real-time by blocking malicious entities while maintaining an organized and dynamic Block List. This results in enhanced security posture and streamlined incident response processes.

    Prerequisites

    • ServiceNow Requirements: San Diego release version or later is required.
    • Check Point OS Versions: Requires R80.20 and higher with specific hot fixes installed.
    • Roles and Permissions: Administrator and Security Incident Administrator roles are necessary for installation and management.

    Next Steps

    To proceed with the integration, ensure the required ServiceNow plugins are activated, install the Check Point integration plugin, and configure the necessary settings as outlined. For specific commands and detailed configuration, refer to Check Point's documentation.

    This document describes the steps required to integrate Check Point Next Generation Threat Prevention (NGTP) capabilities with ServiceNow® Security Incident Response (SIR) so that applications function properly together.

    Once installed and configured, the security incident analyst uses this integration to block malicious IP addresses, URLs, and Domains using Block Request List capabilities with the ServiceNow Security Incident Response (SIR) products. This Block Request List is configured on Check Point Gateways as a Custom Intelligence Feed. The Custom Intelligence Feeds feature provides an ability to add custom cyber intelligence feeds into the Next Generation Threat Prevention engine. It allows fetching feeds from a third-party server, in this case the ServiceNow Security Incident Response application, directly to the Check Point Next Generation Gateway to be enforced by Anti-Virus and Anti-Bot blades. The security incident response analyst creates entries for Check Point Block List from observables determined to be malicious on ServiceNow SIR security incidents.

    For most implementations, a Block Request List is a csv file that is hosted on an external web server. For this integration, this web server is your ServiceNow AI Platform instance, which permits the Check Point next-generation Threat Prevention Engine to fetch the list of IP Addresses, URLs and Domains to be blocked.

    To enforce the blocking observables on Check Point Gateway, ensure that Threat Prevention Policy is configured with Anti-Bot and Anti-Virus Blades activated. As the Block List entries are modified, the Threat Prevention Engine dynamically imports the list at the configured interval and enforces policy without a configuration change or a commit on the firewall. For this integration, ServiceNow AI Platform has created a table containing Block List entries that are retrieved by authorized Check Point next-generation Gateway at the configured retrieval intervals.

    The integration includes the following features:
    • Flexibility to create multiple Block Lists that apply to multiple Check Point Gateways.
    • Detailed reporting on the types of sites being blocked (phishing, malware, and allow listed sites).
    • Tagging of ServiceNow AI Platform security incidents with Block List entries by the observable type (URL, domain, IP address).
    • Configuring Block List expiration periods to maintain Block List size by automatically expiring or removing older entries.
    • Searching Block List entries between different Block Lists.
    • Linking Block List entries to observable records and security incidents that include threat intelligence results and details about why an entry is blocked.

    Integration architecture diagram

    Below is the high-level architecture diagram depicting the components involved and integration points between ServiceNow AI Platform and Check Point Systems.

    Integration architecture
    Note:
    The Check Point Systems logo, Anti-Virus Blade image, and Anti Bot Blade image are from Check Point Systems ©. They are the Property of Check Point Systems.

    Plugins

    The integration requires that the Security Incident Response (com.snc.security_incident) plugin be activated.

    To install Security Incident Response plugins:
    1. Log in to your instance with your HI credentials.
    2. Verify you have the administrator (admin) role.
    3. Navigate to System Definition>plugins in your instance.
    4. Select and click Security Incident Response.

    Once these plugins have been installed, you are able to upload the new Check Point integration plugin from the ServiceNow store and follow the following configuration instructions.

    Supported Check Point OS versions

    This integration requires the Custom Intelligence Feed of Check Point and Anti-Bot and Anti-Virus blades. These are supported from R80.20 and higher. Install the hot fix of Custom Intelligence Feature known as Check Point R80.10 Jumbo HF take 121 and above. Refer to the Check Point Custom Intelligence Feed Documentation’s Installation section for more information on product compatibility matrix.

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193

    After installing the hot fix, ensure that below commands are accessible on Check Point Gateway. SSH to the Gateway and login to expert mode.

    Commands available on the Check Point Gateway

    Supported ServiceNow versions

    San Diego release version or later is supported.

    References

    Below are some of the Check Point references which are useful in setting up the Pre-requisites.
    1. Custom Intelligence Feeds Feature - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193
    2. To set up Anti-Bot and Anti-Virus blades refer the Check Point User Guide. http://downloads.checkpoint.com/dc/download.htm?ID=46534
    3. To set up HTTPS Inspection on Check Point follow the link below. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

    Permissions and roles

    The following ServiceNow roles are required.
    • Administrator (admin) for installation of the integration application plugin
    • Security incident administrator (sn_si.admin) for creating Block Lists in ServiceNow and approving requests for adding and deactivating Blocklist Entries.
    • Security analyst (also referred to here as a SOC Analyst, sn_si.analyst) for creating and maintaining Block List Entry records.

    For more information on assigning the security analyst role, on the ServiceNow documentation website, navigate to Security operations>Security Incident Response> Assigning security analysts.