Back to Documentation
Integrations

External Integration - Checkpoint

External List Integration - Checkpoint Firewall

checkpoint-logo

Check Point Firewall supports integration of external threat intelligence lists to enhance real-time protection. It allows importing IOCs such as IPs, domains, and URLs from trusted sources using supported formats like CSV or TXT.

Prerequisites:

1. Software Versions:

  • Security Management Server (SMS): Should be running R81 or higher to utilize the SmartConsole GUI for IOC feed integration.
  • Security Gateways: While gateways can be on R80.40 or higher, optimal compatibility is achieved with R81 or above.

2. Enabled Blades:

  • Ensure that the Threat Prevention blade is active on both the SMS and the Security Gateways. Check Point CheckMates

3. Network Accessibility:

  • The Security Gateways must have network access to the external feed source, typically over HTTP or HTTPS.

Requirements:

1. Supported IOC Types:

Check Point supports various IOC types, including:

  • IP Addresses
  • Domains
  • URLs
  • File Hashes (MD5, SHA1, SHA256)
  • Email Addresses
  • Custom Snort Rules

2. Feed Formats:

Accepted formats for external feeds include:

  • Check Point CSV Format (.csv)
  • Custom CSV Format (.csv)
  • STIX 1.x XML Format (.xml)
  • Snort Format (.txt)

While the file extension can be .txt, the content must conform to one of the supported formats. For instance, a .txt file containing indicators in a structured format, such as a list of IP addresses or domains, can be used as a Custom CSV feed. In this case, you would specify the appropriate parsing settings during feed configuration

3. Feed Hosting:

  • Feeds should be hosted on a server accessible via HTTP or HTTPS.
  • Authentication can be configured if the feed requires it.

Configuration Steps:

1. Access SmartConsole:

  • Launch SmartConsole and connect to your Security Management Server.

2. Navigate to Indicators:

  • Go to Security Policies > Threat Prevention > Custom Policy Tools > Indicators.

3. Add New IOC Feed:

  • Click on New and select External IOC Feed.

4. Configure Feed Details:

  • Name: Assign a unique name to the feed.

  • Feed URL: Enter the full URL (starting with http:// or https://) of the external feed.

    1. To access cybercheck360 List Export section -> Export-list
    2. To access Cybercheck360 EDL Export section -> Export-EDL

  • Action: Choose the desired action: - Prevent: Block traffic matching the indicators. - Detect: Log traffic matching the indicators without blocking. - Inactive: Disable the feed.

  • Authentication: If required, enter the username and password for the feed.

  • Proxy Settings: Configure if the feed access requires a proxy.

5. Test Connectivity:

  • Use the Test Connectivity option to ensure the feed is reachable and correctly configured.

6. Save and Install Policy:

  • Click OK to save the feed configuration.
  • Install the Threat Prevention policy to apply the changes.

Limitations:

Feed Size:

  • While Check Point does not specify a strict limit, it's advisable to keep the number of indicators manageable to avoid performance degradation.

Update Interval:

  • By default, feeds are fetched every 30 minutes. This interval can be adjusted via the CLI using the ioc_feeds set_interval command.

Memory Usage:

  • Before loading more than 2 million patterns, the system checks if at least 50% of the total memory is free to prevent resource exhaustion.

Version Compatibility:

  • Some features, like feed authentication and Snort rule integration, require specific versions (e.g., R81.20 or higher).

Official Documentation:

For detailed information and further guidance, refer to the following official Check Point documentation: