Check Point Next Generation Threat Prevention integration
Summarize
Summary of Check Point Next Generation Threat Prevention integration
This integration connects Check Point Next Generation Threat Prevention (NGTP) with ServiceNow Security Incident Response (SIR) to enable seamless blocking of malicious IP addresses, URLs, and domains. It leverages the Block Request List feature configured as a Custom Intelligence Feed on Check Point Gateways, allowing dynamic enforcement of threat prevention policies without manual firewall commits.
Show less
Security incident analysts use this integration to create and manage block list entries from observables identified as malicious within ServiceNow SIR. The block lists are hosted on the ServiceNow AI Platform instance, acting as the external web server from which Check Point Gateways fetch updates at configured intervals.
Key features
- Support for multiple Block Lists applicable to different Check Point Gateways.
- Detailed reporting categorizing blocked sites by threat type such as phishing or malware, including allow-listed sites.
- Tagging of ServiceNow security incidents with Block List entries by observable type (URL, domain, IP address).
- Automatic expiration of Block List entries to maintain manageable list sizes.
- Search capabilities across multiple Block Lists.
- Linking Block List entries to observable records and associated security incidents to provide threat intelligence context.
Requirements and setup
- The Security Incident Response plugin (com.snc.securityincident) must be activated in ServiceNow.
- Supported Check Point Gateways must run version R80.20 or higher, with Custom Intelligence Feed, Anti-Bot, and Anti-Virus blades enabled. For R80.10, a specific hotfix (Jumbo HF take 121 or above) is required.
- SSH access to Check Point Gateway with expert mode enabled for command verification.
- ServiceNow San Diego release or later is supported.
Permissions and roles
- Administrator (admin): For installing the integration plugin.
- Security incident administrator (snsi.admin): To create Block Lists and approve block list entry changes.
- Security analyst (snsi.analyst): To create and maintain individual Block List entries.
Practical benefits for ServiceNow customers
This integration empowers security teams to automate the enforcement of threat prevention policies by dynamically sharing malicious observables identified in ServiceNow with Check Point Gateways. It streamlines response workflows by enabling analysts to manage block lists directly within ServiceNow, enhancing the efficiency and accuracy of blocking threats without manual firewall reconfiguration.
Customers can expect improved visibility into blocked threats, better control over block list management, and seamless synchronization between ServiceNow SIR and Check Point NGTP systems, ultimately strengthening their overall security posture.
This document describes the steps required to integrate Check Point Next Generation Threat Prevention (NGTP) capabilities with ServiceNow® Security Incident Response (SIR) so that applications function properly together.
Once installed and configured, the security incident analyst uses this integration to block malicious IP addresses, URLs, and Domains using Block Request List capabilities with the ServiceNow Security Incident Response (SIR) products. This Block Request List is configured on Check Point Gateways as a Custom Intelligence Feed. The Custom Intelligence Feeds feature provides an ability to add custom cyber intelligence feeds into the Next Generation Threat Prevention engine. It allows fetching feeds from a third-party server, in this case the ServiceNow Security Incident Response application, directly to the Check Point Next Generation Gateway to be enforced by Anti-Virus and Anti-Bot blades. The security incident response analyst creates entries for Check Point Block List from observables determined to be malicious on ServiceNow SIR security incidents.
For most implementations, a Block Request List is a csv file that is hosted on an external web server. For this integration, this web server is your ServiceNow AI Platform instance, which permits the Check Point next-generation Threat Prevention Engine to fetch the list of IP Addresses, URLs and Domains to be blocked.
To enforce the blocking observables on Check Point Gateway, ensure that Threat Prevention Policy is configured with Anti-Bot and Anti-Virus Blades activated. As the Block List entries are modified, the Threat Prevention Engine dynamically imports the list at the configured interval and enforces policy without a configuration change or a commit on the firewall. For this integration, ServiceNow AI Platform has created a table containing Block List entries that are retrieved by authorized Check Point next-generation Gateway at the configured retrieval intervals.
- Flexibility to create multiple Block Lists that apply to multiple Check Point Gateways.
- Detailed reporting on the types of sites being blocked (phishing, malware, and allow listed sites).
- Tagging of ServiceNow AI Platform security incidents with Block List entries by the observable type (URL, domain, IP address).
- Configuring Block List expiration periods to maintain Block List size by automatically expiring or removing older entries.
- Searching Block List entries between different Block Lists.
- Linking Block List entries to observable records and security incidents that include threat intelligence results and details about why an entry is blocked.
Integration architecture diagram
Below is the high-level architecture diagram depicting the components involved and integration points between NOW Platform and Check Point Systems.
Plugins
The integration requires that the Security Incident Response (com.snc.security_incident) plugin be activated.
- Log in to your instance with your HI credentials.
- Verify you have the administrator (admin) role.
- Navigate to System Definition>plugins in your instance.
- Select and click Security Incident Response.
Once these plugins have been installed, you are able to upload the new Check Point integration plugin from the ServiceNow store and follow the following configuration instructions.
Supported Check Point OS versions
This integration requires the Custom Intelligence Feed of Check Point and Anti-Bot and Anti-Virus blades. These are supported from R80.20 and higher. Install the hot fix of Custom Intelligence Feature known as Check Point R80.10 Jumbo HF take 121 and above. Refer to the Check Point Custom Intelligence Feed Documentation’s Installation section for more information on product compatibility matrix.
After installing the hot fix, ensure that below commands are accessible on Check Point Gateway. SSH to the Gateway and login to expert mode.
Supported ServiceNow versions
San Diego release version or later is supported.
References
- Custom Intelligence Feeds Feature - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193
- To set up Anti-Bot and Anti-Virus blades refer the Check Point User Guide. http://downloads.checkpoint.com/dc/download.htm?ID=46534
- To set up HTTPS Inspection on Check Point follow the link below. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202
Permissions and roles
- Administrator (admin) for installation of the integration application plugin
- Security incident administrator (sn_si.admin) for creating Block Lists in ServiceNow and approving requests for adding and deactivating Blocklist Entries.
- Security analyst (also referred to here as a SOC Analyst, sn_si.analyst) for creating and maintaining Block List Entry records.
For more information on assigning the security analyst role, on the ServiceNow documentation website, navigate to Security operations>Security Incident Response> Assigning security analysts.