Alert-Based Admission Control with Check Point

This section describes how to integrate Check Point Next Generation Firewall with IPS to support Alert-based admission control in your network.

Configuring Ivanti Policy Secure

This section describes the integration of IPS with Check Point Next Generation firewall. IPS integrates with Check Point’s syslog notification mechanism to receive the threat alert information from Check Point and takes an action based on the admin configured policies.

To view and add the admission control templates:

  1. Select Endpoint Policy > Admission Control > Templates.

  2. Select Endpoint Policy > Admission Control > Clients, choose Check Point Software Technologies Ltd-Firewall-Syslog-text as template during the template creation.

  3. Select the new template during policy creation (Endpoint Policy > Admission Control > Policies). Events and severities are populated based on the template.

Configuring Check Point Firewall

The IPS device must be added as a syslog server while configuring the Check Point firewall for sending the logging information. You must add Check Point firewall as syslog client on IPS.

cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP address> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)(generic)> [optional arguments]

cp_log_export add name pulse target-server 10.0.1.9 target-port 514 protocol udp format syslog

cp_log_export set name <name> filter-blade-in "value2”

One predefined family for "product" field (filter-blade-in):

TP for exporting only Threat Prevention logs (Anti-Bot,Anti-Exploit,Anti-Malware,Anti-Ransomware,Capsule Docs,Endpoint Compliance,Forensics,Full disc encryption,Media Encryption & Port Protection,Secure Client,Threat emulation,Threat extraction,Zero Phishing).

cp_log_export set name pulse filter-blade-in ”TP”

For exporting Check Point logs over syslog, see Log Exporter.

Troubleshooting

To verify the event logs on IPS, select System > Log/Monitoring > Event. Ensure Admission control events option is enabled in Event logs settings.

You can verify that the event logs are generated every time when an event is received from Check Point.

To verify the user access logs, select System >Logs & Monitoring > User Access to verify the user login related logs.