Check Point Next Generation Firewall (NGFW) Out-of-the-box Response Integration

Check Point Next Generation Firewall (NGFW) Out-of-the-box Response Integration

To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

This article shows how to create an Automated Intelligence Feed List using Check Point Next-Gen Firewall (NGFW). 

Requirements

  1. Check Point NGFW Gaia OS R80.30 or greater
    1. Check Point NGFW Threat Prevention Blade enabled
  1. A Lumu Defender subscription.
Out-of-the-box Integrations are part of Lumu Defender. This tier was built to help organizations orchestrate and automate defense against confirmed compromise instances. This tier allows the integration of Lumu’s real-time analysis into your security stack to mitigate and remediate compromise incidents quickly and precisely. To know more about Illumination options, visit our site.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen. 
2. Locate the Check Point NGFW integration in the available apps area and click to add, then click to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.
4. To generate the integration URL, add a description and select the threat types you want to include in the list.

Once you create the integration, you will be provided with the Integration URL:

Deleting an integration will cause URLs to be removed. This action cannot be undone. To reintegrate you will have to generate the URLs again and update your Check Point NGFW configuration.

Set Up Check Point NGFW

Now that you have the integration URL, it’s necessary to configure your instance of Check Point NGFW. 
Do not forget to install the new policy in your Gateway.

Adding an Automated Intelligence Feed List to the Gateway

The following instructions must be carried out using the expert mode in your gateway. 


Add the list created in the Lumu Portal as an automated intelligence feed list to your gateway. To do so, run the following command:

ioc_feeds add --feed_name <feed_name> --transport https --resource "<lumu_unique_adversaries_list>" --feed_action Prevent

The parameters in the command are as follows:
  1. feed_name: A unique name for your intelligence feed list. It must not contain blank spaces.
  1. lumu_unique_adversaries_list: The link generated in the final step of the previous section.
       Example :

ioc_feeds add --feed_name remote_csv_feed --transport https --resource "https://lumudefenderprueba.s3.amazonaws.com/static/44d62b0f-93d1-4d2f-90b2-6193cb57b85c.txt" --feed_action Prevent

If you add new adversaries to your Lumu account, the firewall will pull any changes after 300 seconds by default  once the list is updated by the Lumu backend. This interval may be decreased or increased by modifying the set_interval parameter in your gateway. You can find an example of this parameter below:
  1.  ioc_feeds set_interval <new_interval>
  1. new_interval : Must be an int number greater than 0. It represents the pull interval in seconds. 
For more information about the available commands to create, modify or delete the automated intelligence feed list, consult Check Point NGFW’s official documentation.    

    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Forcepoint NGFW Custom Response Integration

          This article shows how to leverage Forcepoint NGFW provided by the SMC (Security Manager Center) API and Lumu Defender API to enhance your Response capabilities. Response integration between Forcepoint NGFW and Lumu A typical Forcepoint NGFW ...

        • Palo Alto Next-Gen Firewall Custom Integration with Lumu Defender API

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...

        • Juniper SRX Firewall Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure Juniper SRX Firewall to receive and block adversaries detected by Lumu and improve the detection & ...

        • Microsoft Defender Custom Response Integration

          Microsoft Azure is now called Entra ID This article shows how to leverage the Lumu Defender API to integrate API indicators from Windows Defender Requirements Lumu Defender API key. Windows Defender Cloud (Endpoint Plan 1 or 2) Entra ID Application ...

        • Microsoft Defender Out-of-the-Box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Microsoft Azure is now called Entra ID Requirements One of the following Microsoft plans: Microsoft 365 Business Premium Microsoft 365 E3/E5 Microsoft ...