Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Check Point Security Management Server Adapter

 

Use the Check Point adapter to discover and backup end nodes that are managed by the Security Management Server (CPSMS).

Choose one of the following adapters to discover and backup end nodes that are managed by the CPSMS.

Check Point Security Management Server OPSEC Adapter

Use the Check Point Security Management Server OPSEC adapter to discover and backup end nodes that are managed by the CPSMS versions NGX R60 to R77.

The following features are available with the Check Point Security Management Server OPSEC adapter:

  • OPSEC protocol

  • Dynamic NAT

  • Static NAT

  • Static routing

The CPSMS adapter is built on the OPSEC SDK 6.0, which supports Check Point products that are configured to use certificates that are signed by using SHA-1 only.

The following table describes the integration requirements for the CPSMS adapter.

Table 1: Integration Requirements for the CPSMS Adapter

Integration requirement

Description

Versions

NGX R60 to R77

Required credential parameters

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

Use the credentials that are set from Adding devices managed by a CPSMS console.

Supported connection protocols

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

CPSMS

Configuration requirements

To allow the cpsms_client to communicate with Check Point Management Server, the $CPDIR/conf/sic_policy.conf on CPSMS must include the following line:

# OPSEC applications defaultANY ; SAM_clients ;
ANY ; sam ; sslca, local, sslca_comp# sam
proxyANY ; Modules, DN_Mgmt ; ANY; sam ;
sslcaANY ; ELA_clients ; ANY ; ela ; sslca,
local, sslca_compANY ; LEA_clients ; ANY ; lea ;
sslca, local, sslca_compANY ; CPMI_clients; ANY
; cpmi ; sslca, local, sslca_comp

Required ports

The following ports are used by JSA Risk Manager and must be open on CPSMS:

Port 18190 for the Check Point Management Interface service (or CPMI)

Port 18210 for the Check Point Internal CA Pull Certificate Service (or FW1_ica_pull)

If you cannot use 18190 as a listening port for CPMI, then the CPSMS adapter port number must be similar to the value listed in the $FWDIR/conf/fwopsec.conf file for CPMI on CPSMS. For example, cpmi_server auth_port 18190.

Check Point Security Management Server HTTPS Adapter

Use the Check Point Security Management Server HTTPS adapter to discover and backup end nodes that are connected to firewall blades that are managed by the Security Management Server version R80.

The following features are available with the Check Point Security Management Server HTTPS adapter:

  • Static NAT

  • Static routing

  • HTTPS connection protocol

The following features are not supported by the Check Point Security Management Server adapter:

  • Dynamic objects (network objects)

  • Security Zones (network objects)

  • RPC objects (services)

  • DCE-RPC objects (services)

  • ICMP services (services)

  • GTP objects (services)

  • Compound TCP objects (services)

  • Citrix TCP objects (services)

  • Other services (services)

  • User objects

  • Time objects

  • Access Control Policy criteria negation

Note

If you upgrade to the Check Point Security Management Server R80 from a previous version of Check Point SMS, you must rediscover your devices by using the Discover From Check Point HTTPS discovery method, even if your devices are recorded by Configuration Source Management.

The following table describes the integration requirements for the Check Point Security Management Server adapter.

Table 2: Integration Requirements for the Check Point Security Management Server Adapter

Integration requirement

Description

Versions

R80

Required credential parameters

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

Note: You must add the credentials for the Check Point Security Management Server before you configure device discovery.

Username

Password

Device discovery configuration

To configure device discovery in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

To configure the discovery method, click Discover From Check Point HTTPS, enter the IP address of the Check Point Security Management Server, and then click OK.

Discover From Check Point HTTPS

Supported connection protocols

To add protocols in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

HTTPS

User access level requirements

Read-write access all

Requested API endpoints

Use the following format to issue the listed commands to devices:

https://<managemenet server>:<port>/web_api/<ommand>

show-simple-gateways
show-hosts
show-networks
show-address-ranges
show-groups
show-groups-with-exclusion
show-services-tcp
show-services-udp
show-service-groups
show-packages
show-access-rulebase
show-nat-rulebase
run-script
show-task

Related Documentation