Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Check Point Security Management Server Adapter

 

Use the Check Point adapter to discover and backup end nodes that are managed by the Security Management Server (CPSMS).

Choose one of the following adapters to discover and backup end nodes that are managed by the CPSMS.

Check Point Security Management Server OPSEC Adapter

Use the Check Point Security Management Server OPSEC adapter to discover and backup end nodes that are managed by the CPSMS versions NGX R60 to R77.

The following features are available with the Check Point Security Management Server OPSEC adapter:

  • OPSEC protocol

  • Dynamic NAT

  • Static NAT

  • Static routing

The CPSMS adapter is built on the OPSEC SDK 6.0, which supports Check Point products that are configured to use certificates that are signed by using SHA-1 only.

The following table describes the integration requirements for the CPSMS adapter.

Table 1: Integration Requirements for the CPSMS Adapter

Integration requirement

Description

Versions

NGX R60 to R77

Required credential parameters

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

Use the credentials that are set from Adding devices managed by a CPSMS console.

Supported connection protocols

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

CPSMS

Configuration requirements

To allow the cpsms_client to communicate with Check Point Management Server, the $CPDIR/conf/sic_policy.conf on CPSMS must include the following line:

# OPSEC applications defaultANY ; SAM_clients ;
ANY ; sam ; sslca, local, sslca_comp# sam
proxyANY ; Modules, DN_Mgmt ; ANY; sam ;
sslcaANY ; ELA_clients ; ANY ; ela ; sslca,
local, sslca_compANY ; LEA_clients ; ANY ; lea ;
sslca, local, sslca_compANY ; CPMI_clients; ANY
; cpmi ; sslca, local, sslca_comp

Required ports

The following ports are used by JSA Risk Manager and must be open on CPSMS:

Port 18190 for the Check Point Management Interface service (or CPMI)

Port 18210 for the Check Point Internal CA Pull Certificate Service (or FW1_ica_pull)

If you cannot use 18190 as a listening port for CPMI, then the CPSMS adapter port number must be similar to the value listed in the $FWDIR/conf/fwopsec.conf file for CPMI on CPSMS. For example, cpmi_server auth_port 18190.

Check Point Security Management Server HTTPS Adapter

Use the Check Point Security Management Server HTTPS adapter to discover and backup end nodes that are connected to firewall blades that are managed by the Security Management Server version R80.

The following features are available with the Check Point Security Management Server HTTPS adapter:

  • Static NAT

  • Static routing

  • HTTPS connection protocol

The following features are not supported by the Check Point Security Management Server adapter:

  • Dynamic objects (network objects)

  • Security Zones (network objects)

  • RPC objects (services)

  • DCE-RPC objects (services)

  • ICMP services (services)

  • GTP objects (services)

  • Compound TCP objects (services)

  • Citrix TCP objects (services)

  • Other services (services)

  • User objects

  • Time objects

  • Access Control Policy criteria negation

Note

If you upgrade to the Check Point Security Management Server R80 from a previous version of Check Point SMS, you must rediscover your devices by using the Discover From Check Point HTTPS discovery method, even if your devices are recorded by Configuration Source Management.

The following table describes the integration requirements for the Check Point Security Management Server adapter.

Table 2: Integration Requirements for the Check Point Security Management Server Adapter

Integration requirement

Description

Versions

R80

Required credential parameters

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

Note: You must add the credentials for the Check Point Security Management Server before you configure device discovery.

Username

Password

Device discovery configuration

To configure device discovery in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

To configure the discovery method, click Discover From Check Point HTTPS, enter the IP address of the Check Point Security Management Server, and then click OK.

Discover From Check Point HTTPS

Supported connection protocols

To add protocols in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

HTTPS

User access level requirements

Read-write access all

Requested API endpoints

Use the following format to issue the listed commands to devices:

https://<managemenet server>:<port>/web_api/<ommand>

show-simple-gateways
show-hosts
show-networks
show-address-ranges
show-groups
show-groups-with-exclusion
show-services-tcp
show-services-udp
show-service-groups
show-packages
show-access-rulebase
show-nat-rulebase
run-script
show-task

Create a Check Point Custom Permission Profile to Permit JSA Risk Manager Access

To enable JSA Risk Manager access to the Check Point SMS HTTPS adapter API, you must create a permission profile on the Check Point Security Management Server that includes the "Run One Time Script" permission.

You can create a custom permission profile that includes this permission, but is less permissive than the "Read Write All" or "Read Only All" profile.

Note

The custom profile does not work if the SMS version is R80.10 or higher and the gateway version is lower than R80.10. This configuration requires a Super User.

  1. On the SMS Console with SmartDashboard, click Manage & Settings > Permissions & Administrators > Permission Profiles.
  2. Click Create New Profile.
  3. On the Overview tab, select Customized.
  4. On the Gateways tab, select One Time Script.
  5. On the Access Control tab, select the following options:
    • Show Policy

    • Edit layers by the selected profiles in a layer editor

    • NAT Policy – Set the permission to Read.

    • Access Control Objects and Settings – Set the permission to Read.

  6. On the Threat Prevention tab, select Settings and set the permission to Read.
  7. On the Others tab, select the following options:
    • Common Objects – Set the permission to Read.

    • Check Point Users Database – Set the permission to Read.

  8. On the Monitoring and Logging tab, leave the check boxes cleared.
  9. On the Management tab, select Management API Login.Note

    Ensure that any options that are not listed in Steps 3 – 9 are not selected.

  10. Click OK and assign your user to this new permission profile.

Related Documentation