Check Point Next Generation Threat Prevention integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Check Point Next Generation Threat Prevention Integration

    This document outlines the integration process between Check Point Next Generation Threat Prevention (NGTP) and ServiceNow® Security Incident Response (SIR). This integration allows security incident analysts to block malicious IP addresses, URLs, and domains through the Block Request List capabilities, which are configured on Check Point Gateways as a Custom Intelligence Feed retrieved from the ServiceNow platform.

    Show full answer Show less

    Key Features

    • Ability to create multiple Block Lists for various Check Point Gateways.
    • Detailed reporting on blocked sites, categorized by phishing, malware, and allow-listed sites.
    • Tagging of security incidents in ServiceNow with Block List entries based on the type of observable (URL, domain, IP address).
    • Automatic expiration of older Block List entries to manage size.
    • Search functionality across different Block Lists.
    • Linking of Block List entries to observable records and detailed threat intelligence information.

    Key Outcomes

    Upon successful integration and configuration, security analysts can efficiently manage and enforce security policies without the need for frequent manual intervention. The integration dynamically updates the Block List and applies policies seamlessly, improving the organization’s threat prevention capabilities.

    Prerequisites

    Ensure the following requirements are met:

    • Activate the Security Incident Response (com.snc.securityincident) plugin in ServiceNow.
    • Supported Check Point OS versions: R80.20 and higher with the Custom Intelligence Feed feature.
    • ServiceNow version: San Diego release or later.

    Permissions and Roles

    The following ServiceNow roles are necessary for the integration:

    • Administrator (admin): Required for installing the integration application plugin.
    • Security Incident Administrator (snsi.admin): Responsible for creating Block Lists and managing entries.
    • Security Analyst (snsi.analyst): Tasked with maintaining Block List Entry records.

    This document describes the steps required to integrate Check Point Next Generation Threat Prevention (NGTP) capabilities with ServiceNow® Security Incident Response (SIR) so that applications function properly together.

    Once installed and configured, the security incident analyst uses this integration to block malicious IP addresses, URLs, and Domains using Block Request List capabilities with the ServiceNow Security Incident Response (SIR) products. This Block Request List is configured on Check Point Gateways as a Custom Intelligence Feed. The Custom Intelligence Feeds feature provides an ability to add custom cyber intelligence feeds into the Next Generation Threat Prevention engine. It allows fetching feeds from a third-party server, in this case the ServiceNow Security Incident Response application, directly to the Check Point Next Generation Gateway to be enforced by Anti-Virus and Anti-Bot blades. The security incident response analyst creates entries for Check Point Block List from observables determined to be malicious on ServiceNow SIR security incidents.

    For most implementations, a Block Request List is a csv file that is hosted on an external web server. For this integration, this web server is your ServiceNow AI Platform instance, which permits the Check Point next-generation Threat Prevention Engine to fetch the list of IP Addresses, URLs and Domains to be blocked.

    To enforce the blocking observables on Check Point Gateway, ensure that Threat Prevention Policy is configured with Anti-Bot and Anti-Virus Blades activated. As the Block List entries are modified, the Threat Prevention Engine dynamically imports the list at the configured interval and enforces policy without a configuration change or a commit on the firewall. For this integration, ServiceNow AI Platform has created a table containing Block List entries that are retrieved by authorized Check Point next-generation Gateway at the configured retrieval intervals.

    The integration includes the following features:
    • Flexibility to create multiple Block Lists that apply to multiple Check Point Gateways.
    • Detailed reporting on the types of sites being blocked (phishing, malware, and allow listed sites).
    • Tagging of ServiceNow AI Platform security incidents with Block List entries by the observable type (URL, domain, IP address).
    • Configuring Block List expiration periods to maintain Block List size by automatically expiring or removing older entries.
    • Searching Block List entries between different Block Lists.
    • Linking Block List entries to observable records and security incidents that include threat intelligence results and details about why an entry is blocked.

    Integration architecture diagram

    Below is the high-level architecture diagram depicting the components involved and integration points between ServiceNow AI Platform and Check Point Systems.

    Integration architecture
    Note:
    The Check Point Systems logo, Anti-Virus Blade image, and Anti Bot Blade image are from Check Point Systems ©. They are the Property of Check Point Systems.

    Plugins

    The integration requires that the Security Incident Response (com.snc.security_incident) plugin be activated.

    To install Security Incident Response plugins:
    1. Log in to your instance with your HI credentials.
    2. Verify you have the administrator (admin) role.
    3. Navigate to System Definition>plugins in your instance.
    4. Select and click Security Incident Response.

    Once these plugins have been installed, you are able to upload the new Check Point integration plugin from the ServiceNow store and follow the following configuration instructions.

    Supported Check Point OS versions

    This integration requires the Custom Intelligence Feed of Check Point and Anti-Bot and Anti-Virus blades. These are supported from R80.20 and higher. Install the hot fix of Custom Intelligence Feature known as Check Point R80.10 Jumbo HF take 121 and above. Refer to the Check Point Custom Intelligence Feed Documentation’s Installation section for more information on product compatibility matrix.

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193

    After installing the hot fix, ensure that below commands are accessible on Check Point Gateway. SSH to the Gateway and login to expert mode.

    Commands available on the Check Point Gateway

    Supported ServiceNow versions

    San Diego release version or later is supported.

    References

    Below are some of the Check Point references which are useful in setting up the Pre-requisites.
    1. Custom Intelligence Feeds Feature - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193
    2. To set up Anti-Bot and Anti-Virus blades refer the Check Point User Guide. http://downloads.checkpoint.com/dc/download.htm?ID=46534
    3. To set up HTTPS Inspection on Check Point follow the link below. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

    Permissions and roles

    The following ServiceNow roles are required.
    • Administrator (admin) for installation of the integration application plugin
    • Security incident administrator (sn_si.admin) for creating Block Lists in ServiceNow and approving requests for adding and deactivating Blocklist Entries.
    • Security analyst (also referred to here as a SOC Analyst, sn_si.analyst) for creating and maintaining Block List Entry records.

    For more information on assigning the security analyst role, on the ServiceNow documentation website, navigate to Security operations>Security Incident Response> Assigning security analysts.