Overview
This document describes how to integrate ThreatSTOP’s Policy and Reporting services with a Check Point device:
- Automated retrieval and updates of IP Defense policies from ThreatSTOP’s systems to the Check Point.
- Automated collection and delivery of log files from the Check Point gateways to ThreatSTOP’s systems.
System view
The integration is performed by a Linux-based virtual machine provided by ThreatSTOP, named ThreatSTOP Centralized Manager (TSCM). After its initial installation, the TSCM will retrieve the list of subnets matching the policy configured via the ThreatSTOP Admin portal and make them available as a new Security Intelligence feed for Check Point. Optionally, the Check Point gateways can be configured to send the connection log events to the TSCM via syslog and the TSCM will package and upload log files to ThreatSTOP’s Portal, for analysis and reporting.
Fig 1. : Network traffic between ThreatSTOP services, the TSCM, and the Check Point Gateways. (click to expand)
Web Automation features
This document provides the steps when using the Web Automation features of ThreatSTOP. See this document for command line-based installation. The Web Automation features are:
- Client configuration settings are managed on the ThreatSTOP portal, instead of using the TSCM command line.
- Changes to the policy selection are automatically propagated from the portal to the TSCM
- The TSCM reports problems applying policies or uploading logs to the ThreatSTOP Portal, providing more visibility into potentials system or network problems.
Compatibility
- The current version of TSCM is compatible with Check Point devices running:
- R80.10 GAIA take 462 or later
- including hotfix: Check_Point_R80.10_JHF_Hotfix_sk132193_FULL.tgz adds support for 10,000+ Entries.
- including hotfix: Check_Point_R80.10_Log_Exporter_T50_sk122323_FULL.tgz
- Either Anti-Virus or Anti-Bot Blade activated
- R80.20 GAIA take 101 or later
- including hotfix: Check_Point_R80.20_T101_Hotfix_sk132193_FULL.tgz
- Hotix Check_Point_R80_20_JUMBO_HF_Bundle_T47_sk137592_FULL.tgz adds support for 10,000+ Entries.
- Either Anti-Virus or Anti-Bot Blade activated
- R80.10 GAIA take 462 or later
- Install the hotfix(es) via the Check Point Upgrade Service Engine (CPUSE).
Current version of TSCM
The current version of the TSCM virtual machine is 1.50. If your TSCM image is older, please download the latest version from the device configuration page in the Admin Portal. You can find out the TSCM version by running
$ tsadmin version
The current version of the Check Point module is 1.06 (included with TSCM 1.50 images)
Installation parameters for experienced users
If you have already created a device entry in the portal, and are familiar with the installation procedure, you can access the TSCM parameters below if you access this document from the Portal Device page.
Setting | Value |
---|---|
Device ID | Retrieved from the device settings page |
Policy (Block List) | Retrieved from the device settings page |
Link Command:
$ tsadmin add --type auto --device_id=[Device ID] --auto_key=[Device Key]
Prerequisites
System
The TSCM is delivered as an OVA or VHD image, built using Ubuntu 20.04 as the base Operating System. It is preconfigured with:
- 2 CPUs
- 2 GB of RAM
- 20 GB of disk space
You will need a Hypervisor such as vSphere, ESXi, Virtualbox or Hyper-V to deploy the image.
Connectivity
To retrieve its configuration and policy, and to upload log data, the TSCM needs the following connectivity:
- DNS over TCP - Policy service
- Hostname: ts-dns.threatstop.com
- IP Range: 192.124.129.0/24
- Outbound TCP port 53 or 5353
- DNS over TLS - Configuration service
- Hostname: ts-ctp.threatstop.com
- IP Range: 204.68.97.208/28
- Outbound TCP port 5353
- HTTPS - Log service
- Hostname: logs.threatstop.com
- IP range: 204.68.99.208/28
- Outbound TCP port 443
- Direct Connection or via Proxy
- NTP
- Hostname: ntp.ubuntu.com
- Outbound UDP port 123
It must also be able to communicate with the Check Point devices:
- HTTP
- TCP Port 8002
- From the Check Point Gateway to the TSCM
- Syslog
- UDP Port 514
- From the Check Point Gateway to the TSCM
Check Point credentials
To perform this installation, you need an admin account and expert password. To set an expert password follow guide below:
ssh admin@checkpoint
gw-886a3a> set expert-password
Enter new expert password : ********
Enter new expert password (again) : ********
gw-886a3a> expert
Enter expert password:
Warning! All configurations should be done through clish
You are in expert mode now.
[Expert@gw-886a3a:0]#
Setup
Integration ThreatSTOP with a Check Point device using TSCM Web-Auto is performed with the following:
- Configuring the device settings on the Admin Portal
- Downloading and loading the VM image
- Link the TSCM to the Device entry using the TSCM
tsadmin add --type auto
command - Install the hotfix(es) to enable the features necessary for “Custom Intelligence Feeds”
- Enable / Verify you have at least one of the required blades (Anti-Virus or Anti-Bot) activated in the gateway
- Create a policy to enforce blocking Anti-Virus or Anti-Bot hits
- Add “Custom Intelligence Feeds” using the Check Point hotfix CLI utility “ioc_feeds”
- Setup logging via Check Point “cp_log_exporter” tool to TSCM for upstream analysis
Step 1: Portal
During this step, you will create a device entry on the Admin Portal. You will select a device type (Check Point) and enter the configuration settings. A minimum configuration only requires a handful of settings but optional, advanced options are also available.
To create a Check Point device entry:
- Log into the Admin Portal with your ThreatSTOP account
- Browse to the Device page and click Add Device
- Select the Check Point model:
- Type: IP Defense
- Manufacturer: Check Point
- Model: GAIA R80
- Integration Type: TSCM with Web Automation
The Admin Portal will display a form to enter the device settings described below and the links to retrieve the TSCM image.
-
Nickname: this is a mnemonic name used to identify the device. It can be set to any string (A-Z, 0-9, - and _). If you create multiple device entries, each entry must have a unique nickname. The Nickname will be used to identify the device on the TSCM and in the Reporting user interface.
-
Policy: select a pre-defined policy or a customized policy. It must be an IP Defense Policy.
-
IP Type: Access to the ThreatSTOP services is controlled in part using an ACL allowing the device IP to connect. If your device has a static public IP address (the most common case), select static. If your device has a dynamic public IP address, the ThreatSTOP services can lookup the IP address using a DNS fully-qualified name (FQDN).
-
Public IP address: In static mode, this is the public IP address of the TSCM. It is possible to configure multiple device entries with the same public IP address.
-
Internal IP address: This is the internal address of the Check Point Gateway.
-
Note: An optional field to store a note of your choice about the device - location, identifiers, model…
-
Enable Log Upload: If enabled, the TSCM will send logs received from the device to the ThreatSTOP reporting system. This is the recommended setting. When disabled, logs for this device will not be available for reporting in the Portal.
-
Blade: the blade you have activated in Check Point (Anti-Virus, or Anti-Bot). It is fine to have both enabled but only one can be set in the feed per Check Point recommendations.
-
Maximum Policy Size: Option limit on the number of entries in the policy. If the policy becomes larger than this setting, the TSCM will truncate it down to the Maximum Policy Size.
Upon saving the form, a device entry will be created in ThreatSTOP’s cloud.
Advanced Settings
The TSCM supports the following advanced settings, which cover uncommon ASA configurations or network environments.
-
Syslog IP address: Typically, logs will sent over syslog by the device itself. If logs are sent by another IP address (for example, after being processed by a SIEM, or in High-Availability configurations), that IP address should be configured in this field.
-
High-Availability IP addresses: See HA / Cluster Setup section for more details.
-
DNS Port: The TSCM uses TCP Port 53 (outbound connections) to retrieve policy data. If this port is blocked or filtered (for example, networks using a DNS Application Layer Gateway), use this setting to switch to TCP Port 5353.
-
Enable policy updates: this setting can be used to temporarily disabled policy updates by the TSCM. This is not recommended but can be used if device configuration changes needed to be suspended.
-
Log file size: the TSCM will upload logs after 15 minutes and when the log file size is reached. For systems under very heavy network traffic with many blocked connections, lowering this value will cause logs to be uploaded more often.
-
Log Upload Proxy: If your environment requires using a proxy to reach HTTPs URLs, you can specify the address of a proxy. The proxy must support HTTPs using the CONNECT protocol. The proxy address must be http://address:port, where address is either an IP address or a fully-qualified domain name. HTTPs proxies are not supported. If you provide a proxy URL, the TSCM configuration will also prompt you for an optional user and password during the TSCM installation. Provide them if the proxy requires authentication.
Step 2: Download and boot image
After creating the device entry, download and boot the TSCM image.
You can choose between the OVA format (ESXi/vSphere, VirtualBox, Xen…) and the VHD format (Microsoft Hyper-V).
The download link is listed in the Step 2 section, as shown in this image.
- Click on the Copy Download Link to copy the link to your clipboard.
- Use an ftp client of your choice, or a tool such as curl
- For your security: after downloading the file, we encourage you to validate its SHA 256 checksum. Compute it as shown below and compare it to the checksum in the Portal.
$ shasum -a 256 <filename>
- Import the OVA or VHD file in your Hypervisor to create the virtual machine and start it.
Log into the TSCM
The TSCM virtual machine will use DHCP to obtain its IP address. If your Hypervisor doesn’t show the IP address assigned to the virtual machine, you can retrieve it from the console of the TSCM: it is displayed as part of the login prompt.
The virtual machine will be reachable using ssh:
- The default username is: threatstop
- The default password is: threatstop
Step 3: Link the TSCM to the Device entry
After booting the TSCM and logging in via ssh, the third setup step will link the virtual machine to the device entry created in Step #1.
The TSCM has a configuration utility tsadmin
(documented here) is covered in full below.
- Login with the threatstop account using ssh
- Run the following command:
$ tsadmin add --type auto --device_id=[Device ID] --auto_key=[Device Key]
- The tsadmin command will output commands you can subsequently run on the Check Point device to complete the device installation. Make note of these commands, if you forget to write them down simply run
tsadmin show <device name>
.
At this time, the TSCM has succesfully configured the device entry.
You can view the list of devices linked on the TSCM image:
$ tsadmin list
| Device name | Type | Device ID | Management IP | Log upload ID | Log | Log uploads |
| tstest | checkpoint | tdid_1234abcd | 10.0.50.3 | tdid_1234abcd | 100k | enabled |
- From this point on, the TSCM will retrieve policy data (IP subnets) and make them available over HTTP every hour.
- To force the initial update and proceed with testing, run the following command
$ tsadmin update <device name>
- The block lists and whitelists are made available over HTTP on port 8002. The URLs are:
http://<TSCM IP address>:8002/<device id>/threatstop-block.csv
The Threat feed URL and configuration commands can be retrieved by running tsadmin show <device name>
:
threatstop@tsclient:~$ tsadmin show <device name>
[...]
Block List URL http://10.0.70.138:8002/tdid_1234abcd/threatstop-block.csv
Step 4: Install the hotfix(es) to enable the features necessary for “Custom Intelligence Feeds”
The following steps assume that you have admin access to Check Point web interface and have setup an expert password.
Install Hotfix(es)
Some hotfixes are not visible via the normal Check Point Upgrade Service Engine (CPUSE). Follow the guide below to install hotfix(es) not shown in the normal CPUSE interface.
Install required hotfix(es)
- Log into the Check Point web interface
https://<Check Point IP address>
- On the far left menu, scroll down to “Upgrades (CPUSE)” section and click “Status and Actions”.
- On the top right click the “Add Hotfixes from the Cloud” button.
- Select the Hotfix(es) you require to meet the minimum compatibility requirements for your version of Check Point.
- If you do not see the hotfix listed in CPUSE then click on the “Add Hotfixes from Cloud” button.
- Copy and paste the hotfix’s name and hit the search button.
- Select the hotfix from the search result to add it to available Hotfixes Package list.
- Install the hotfix by right-clicking it in the Hotfixes Package list and selecting “Install Update” from the menu. (*note this may require a reboot of the device)
- Repeat these steps until you’ve installed all required hotfixes
Step 5: Check Point Anti-Virus (av), Anti-Bot (ab) configuration
The following steps assume that you have admin access to Check Points web interface and have setup an expert password.
Enable / Verify AB or AV blade is activated and configured
- Log into the Check Point smart console.
- Click on “Gateway & Servers”
- Right click on the device’s “Active Blade” column and select Edit.
- Make sure at least one of the Anti-Virus or Anti-Bot checkboxes is selected.
- Select the “Anti-Bot and Anti-Virus settings” on the left menu. We want “Activate mode” set to “According to policy”.
- Finally, “Publish” and “Install Policy” in the Check Point SmartConsole.
Step 6. Create a policy to enforce blocking Anti-Virus or Anti-Bot hits
Create “Custom Intelligence Feed” enforcement policy
- Log into the Check Point SmartConsole.
- Click on “Security Policies”
- Create a new policy named “ThreatSTOP-Block” & position above any other policy with Anti-Bot or Anti-Virus active. The policies are read top to bottom.
- We recommended only enabling the Anti-Virus / Anti-Bot under “Blade Activations” to keep the logging & analysis clear.
- Verify the Anti-Bot/Anti-Virus settings are set to defaults “Anti-Bot/Virus Blocked” for prevent, & ask is set to “Company Policy Anti-Bot/Virus”.
- Finally, “Publish” and “Install Policy” in the Check Point SmartConsole.
Step 7. Add “Custom Intelligence Feeds” using the Check Points hotfix CLI utility “ioc_feeds”
The following steps assume that you have admin access to Check Points web interface and have setup an expert password. More information regarding this feature: Check Point Custom Intelligence Feed
Adding the ThreatSTOP feed
- Log into the Check Point via SSH.
- Activate “expert mode”. If you’ve not set an expert password you may be required to do so before continuing.
- Add the feed as shown substituting your TSCM’s IP address and ThreatSTOP Device ID (TDID).
ioc_feeds add --feed_name threatstop-block --transport http --resource "http://<TSCM IP address>:8002/<TDID>/threatstop-block.csv"
- You can retreive an example Check Point configuration command by running
tsadmin show <device name>
on the TSCM command line - If you receive a “command not found” error after running ioc_feeds, ensure you’ve installed the proper hotfix for your Check Point version. The command is only available after the hotfix installation
- To manually push the policy to the device run
ioc_feeds push
- To list all feeds on the device run
ioc_feeds show
- You can retreive an example Check Point configuration command by running
Step 8. Setup logging via Check Points “cp_log_exporter” tool to TSCM for upstream analysis
The following steps assume that you have admin access to Check Points web interface and have setup an expert password. The syslog feature is available in R80.10 as a hotfix see compatibility section for details and on R80.20 natively (no hotfix required).
Adding the ThreatSTOP feed
- Log into the Check Point via SSH.
- Activate “expert mode”. If you’ve not set an expert password you may be required to do so before continuing.
- Add the feed as shown substituting your TSCM’s IP address and ThreatSTOP Device ID (TDID).
cp_log_export add name tssyslog target-server <TSCM IP Address> target-port 514 protocol udp format syslog
# downloads the ThreatSTOP log export configuration into place
cd $EXPORTERDIR/targets/tssyslog && \
curl_cli https://docs.threatstop.com/configs/ipfw/checkpoint/threatstop_format.xml -s -o threatstop_format.xml && \
curl_cli https://docs.threatstop.com/configs/ipfw/checkpoint/threatstop_fields.xml -s -o threatstop_fields.xml
# modifies the Check Point configuration file to use the ThreatSTOP log export configuration
cd $EXPORTERDIR/targets/tssyslog && cp targetConfiguration.xml targetConfiguration.bak \
&& cat $target|sed -e 's/<formatHeaderFile\>.*\/formatHeaderFile/<formatHeaderFile\>threatstop_format\.xml<\/formatHeaderFile/' \
-e 's/<exportAllFields\>.*\/exportAllFields/<exportAllFields\>false<\/exportAllFields/' \
-e 's/<mappingConfiguration\>.*\/mappingConfiguration/<mappingConfiguration\>threatstop_fields.xml<\/mappingConfiguration/' > "targetConfiguration.tmp" \
&& mv targetConfiguration.tmp targetConfiguration.xml && cp_log_export restart name tssyslog
# If all went well you should see a message telling you logging is restarting
- You can retreive an example Check Point configuration command by running
tsadmin show <device name>
on the TSCM command line - To list logging server entries on the device run
cp_log_export show
Download the following files to your Check Point device or use the shell script below to download them directly:
To filter log traffic the following hotfix is required by Check Point.
- Check Point log export filter hotfix
# *OPTIONALLY if you would like to limit the amount of log traffic sent to the TSCM RUN: cp_log_export set name tssyslog filter-blade-in "Anti Malware,New Anti Virus,Anti Virus" && cp_log_export restart name tssyslog # requires sk153152 hotfix
Logging and Reporting
If log upload is enabled, the TSCM will now upload logs every 15 minutes, as long as there were connections blocked by the policy since the last upload. The logs can be analyzed in the IP Defense Reports 15 minutes after they’ve been uploaded.
To check that the log upload feature is able to reach the server:
- After deploying the policy, generate log entries by trying to reach our test address through the device. The command should fail to connect.
curl http://bad.threatstop.com
- Run the following command on the TSCM to rotate and upload the log file
$ tsadmin logs
If the command doesn’t find a log file, it will exit immediately:
threatstop@tsclient:~$ tsadmin logs
[INFO ] : Starting log upload client
[INFO ] : Log upload client exited
-
Log files are stored in /var/log/threatstop/devices/<device name>/syslog.
- If no log file is present, check that events are being logged using the Connection Event page (Analysis > Connection > Events) if the policy is configured to log to the event viewr.
- Also check that the IP address of the gateway is included in the syslog IP setting of the TSCM (account for NAT if applicable) and that the gateway can reach the TSCM over TCP/514.
Successful upload:
threatstop@tsclient:~$ tsadmin logs
[INFO ] : Starting log upload client
[INFO ] : [Uploader] Loading device configuration
[INFO ] : Processing logs for device [devicename]
[INFO ] : Starting ThreatSTOP logupload operation v2.00 at 24/05/2018 19:34:05
[INFO ] : Verifying log file [/var/log/threatstop/devices/checkpoint136/syslog.1] stats
[INFO ] : Processing [/var/log/threatstop/devices/devicename/syslog.1] log file
[INFO ] : Start sending data
[INFO ] : Preparing connection data
[INFO ] : Connecting to https://logs.threatstop.com:443/logupload.pl
[INFO ] : Upload was successful [200 OK]
[INFO ] : Completed processing for device [checkpoint136]
[INFO ] : Finish ThreatSTOP logupload operation at 24/05/2018 19:34:10 after 00:00:05
[INFO ] : Log upload client exited
If the command attempts to upload a log but fails, check the connectivity of the TSCM to ThreatSTOP’s log service, described in the connectivity section of this document.
Additional considerations
Support for multiple Check Point devices
A single TSCM and a single device entry can be configured to publish a policy to multiple Check Point devices. In this configuration, the same policy will be made available to each gateway, and logs for every gateway will appear under the same, unique device entry in the ThreatSTOP Reports. If you configure logging for upstream analysis and you would like to see it broken down by device, create device entries to get unique TDIDs for each device.
- You can Create and distribute one Check Point “Threat Prevention” policy to multiple devices.
- Each device will need to run Step 7 - adding IOC feed
-
Optionally each device will need to run Step 8 - enabling logging for upstream analysis
- If you run multiple devices with the same TDID entry such as in an HA setup see the HA configuration section for installation steps.
tsadmin configure <device name> --advanced ... Please enter all additional syslog source IP(s). Use none for none. Separate multiple entries with a space : [default none] 10.0.24.240 10.0.24.241 ...
High Availability / HA / VRRP / Cluster installs
If you have an HA cluster via VRRP or traditional Cluster XL you will need to:
- On the portal setup be sure to enter all HA cluster member IP addresses as observed by the TSCM in the High-Availability IP addresses field located in the advanced section.
- If you are aggregating logs in a Security Center server / or another type of Check Point log aggregation server you will need to:
- Install the log export hotfix listed in the requirements section on that device VS. the firewall cluster members.
- On the portal device configuration, add the IP address of the log aggregation server(s) to the Syslog IP address field.
- Run the log export setup on the Security Center / log aggregation server.
Other operations
Current configuration
To view the current settings on the TSCM, run
$ tsadmin show <device name>
Configuration changes
- After the initial configuration is completed, settings can be edited on the Admin Portal and will be reflected on the device within 5 minutes, including Policy configuration changes.
Error reporting
The TSCM update process wil report failures such as:
- failure to download the policy
- failure to connect to the log upload service
Failures are reported on the Device List page of the portal.
Software updates
To update the TIP and retrieve new versions of the ThreatSTOP software, login as threatstop and run the following command:
$ sudo apt-get update && sudo apt-get -y dist-upgrade
Uninstall steps
- To disable the integration on the Check Point firewall, the first step is the removal of the feed from the device using the ioc_feeds utility. The Check Point gateways will stop enforcing blocks once the ioc_feeds are removed.
ioc_feeds delete --feed_name threatstop-block
- If you setup logging run the following to uninstall it. Change tssyslog to whatever you named the logging profile.
cp_log_export delete name tssyslog --apply-now
- Next, remove / rename the policy created in Step 6.
- Delete the device on the TSCM. This will stop policy retrieval and log forwarding.
$ tsadmin remove <device name>
- The last step is to delete the device entry on the Portal, using the Device List page. This step will caused the log data from the device to be unavailable in the Reporting interface of the Portal. If needed, you can recreate a new device entry for the same device, with the same or different settings. Note that the new entry will have a different Device ID for linking the TSCM.
Additional information
Troubleshooting
-
Failure to link the device: tsadmin add fails with this error: “Failed to connect to Web Automation services”. The common cause is a network connectivity problem using DNS over TLS (Outbound TCP connection to ts-ctp.threatstop.com on port 5353).
- Failure to link the device: tsadmin add fails with this error: “Failed to retrieve settings using Web Automation. There are three common causes:
- The Device ID or Device Key is not correct.
- The system time is not correct. The virtual machine run an NTP client which must be up-to-date. Check its status with the timedatectl command.
- The new device entry has not been activated yet. Wait 2-3 minutes and retry.
- Failure to retrieve policy: tsadmin add fails with this error: “block list [name] could not be fetched from ThreatSTOP DNS servers.” There are two common causes:
- A network connectivity problem using DNS over TCP (Outbound connection to ts-dns.threatstop.com on Port 53).
- The policy is not available yet. It typically takes less than 15 minutes for new devices and new policies to be activated in the Policy Service.
- Failure to block traffic from Check Point firewall.
- Check in SmartConsole > Gateways & Servers > Right click on “Activated Blade” column > Edit > Anti-Bot or/and Anti-Virus checkbox is selected & “Anti-Bot and Anti-Virus” Activation mode is set to “According to policy”.
- Make sure the policy is being retrieved from the Check Point device & the IP address you are testing is in the threat feed being retrieved on the Check Point Device. SSH into Check Point
# Verify the Feed Name, Check Point appends '_http' to the feed name
gw-886a3a> expert
Enter expert password:
Warning! All configurations should be done through clish
You are in expert mode now.
[Expert@gw-886a3a:0]# ioc_feeds show
Feed Name: threatstop-block
Feed is Active
File will be fetched via HTTP
Resource: http://<IP ADDRESS OF TSCM>:8002/<TDID>/threatstop-block.csv
Action: Prevent
Total number of feeds: 1
Active feeds: 1
# cat - will output the policy contents to screen
[Expert@gw-886a3a:0]# cat /opt/CPsuite-R80.20/fw1/external_ioc/threatstop-block/threatstop-block_http
# grep - will filter the policy for a target. Verify the IP Address you are testing with is listed in the file.
[Expert@gw-886a3a:0]# cat /opt/CPsuite-R80.20/fw1/external_ioc/threatstop-block/threatstop-block_http|grep 64.87.3.133
TS-IOC137,64.87.3.133,ip,medium,medium,ab,TSioc:64.87.3.133
- If the network connectivity is ok, and 15 minutes have elapsed since the device entry was created, please contact ThreatSTOP Support at [email protected].
Version history
- TSCM
Version | Release Date | Notes | ||||
1.38 | 2018-10-09 | Support for proxy-based log uploads | ||||
1.37 | 2018-10-04 | Added network configuration tool | 1.36 | 2018-08-08 | Remove uncessessary duplicate IP warning; support for Check Point | |
1.36 | 2018-08-08 | Remove uncessessary duplicate IP warning; support for Check Point | ||||
1.35 | 2018-05-08 | Support for advanced settings | ||||
1.31 | 2018-03-26 | Fix for log upload script | ||||
1.30 | 2018-02-06 | Support for Web Automation |
- Check Point Module
Version | Release Date | Notes |
1.01 | 2019-04-29 | Added HA support |
1.00 | 2018-10-30 | Initial release |