Check Point Next Generation Firewall (NGFW) Out-of-the-box Response Integration

Check Point Next Generation Firewall (NGFW) Out-of-the-box Response Integration

The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint Detection and Response (EDR); incident response systems; and more.

This article shows how to create an Automated Intelligence Feed List using Check Point Next-Gen Firewall (NGFW).

Requirements

  • Check Point NGFW Gaia OS R80.30 or greater
    • Check Point NGFW Threat Prevention Blade enabled

  • A Lumu Defender subscription.

Integration Setup - Lumu Portal

This section of the article describes the steps that must be completed on the Lumu Portal to properly set up the Microsoft Azure NSG Integration. To start, log into your Lumu account through the Lumu Portal.
Notes
Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.
1. In the Lumu Portal, head to the panel on the left and open the Integrations drop-down menu. Then,click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.

2. Locate the Check Point NGFW integration in the available apps area and click on Add.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

4. Provide a meaningful Name. Under Threat Types, choose the specific threat mappings you want to push Check Point NGFW. Select the option Include IP Indicators to include IP addresses in the information sent to your feed list. When done, click on the orange Create button.
Warning
If you leave the Include IP Indicators option unselected, you won’t be able to change it later. You will need to remove the integration and repeat all the steps again.
Warning
Please note that you cannot modify the information on this screen. Exercise caution when selecting Threat Types, as changes cannot be made later.

5. Once you create the integration, you will be provided with the Integration ID and the Blocklist URL:

Warning
Deleting an integration will cause URLs to be removed. This action cannot be undone. To reintegrate you will have to generate the URLs again and update your Check Point NGFW configuration.

Integration Setup - Check Point NGFW

Now that you have the integration URL, it’s necessary to configure your instance of Check Point NGFW. You will add an automated intelligence feed to the Check Point Gateway, pointing to the Lumu integration URL. You can add it by using one of the following methods.

  1. Via the Check Point SmartConsole (Manager)
  2. Via the Check Point Gateway CLI access

Follow the method that best fits how you manage your Check Point Firewall.

Notes Ensure you have configured the Autonomous Threat Prevention system or Anti-bot and Anti-virus Software blades enabled on the Security Gateway, not only activated. These blades must be explicitly referenced in your security policies in Prevent mode. Otherwise, your Security Gateway will not take advantage of the Lumu integration.

Adding an Automated Intelligence Feed List to the Gateway via the Check Point SmartConsole

Check Point SmartConsole is a Windows-based software. It provides a Graphical User Interface for managing Security Management Servers. Open your SmartConsole instance, log in to your Security Gateway, and follow these instructions.

1. Head to the left navigation bar and click Security Policies. Then, click the Custom Policy option under the Threat Prevention section. This will enable the Custom Policy Tools at the bottom of the menu. Select the Indicators option.


2. Click New (*) and select the External IOC feed button in the top part of the Indicators window.


3. Fill in the information in the Indicator window as follows:

  1. Give the object a distinctive name.
  2. Enable the Active toggle.
  3. Paste in the Feed URL field the Lumu integration Blocklist URL collected in step 5 of the Integration Setup - Lumu Portal section.
  4. Disable the Use gateway proxy for connection toggle.

  5. You can test the feed by clicking the Test Connectivity button. Fix any connection issue before clicking the OK button to finish your configuration.

    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Lumu Out-of-the-box Integrations

          For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...

        • Google Cloud NGFW Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Google Cloud NGFW with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Google Cloud Platform Account GCP administrator ...

        • Forcepoint NGFW Custom Response Integration

          This article shows how to leverage Forcepoint NGFW provided by the SMC (Security Manager Center) API and Lumu Defender API to enhance your Response capabilities. Response integration between Forcepoint NGFW and Lumu A typical Forcepoint NGFW ...

        • Juniper SRX Firewall Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure Juniper SRX Firewall to receive and block adversaries detected by Lumu and improve the detection & ...

        • Palo Alto Next-Gen Firewall Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. This article shows how to create an external block list using Palo Alto Next-Gen Firewall. Requirements Palo Alto Next-Gen Firewall A Lumu Defender ...