Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Check Point Security Management Server Adapter

Use the Check Point adapter to discover and backup end nodes that are managed by the Security Management Server (CPSMS).

Choose one of the following adapters to discover and backup end nodes that are managed by the CPSMS.

Check Point Security Management Server OPSEC Adapter

Use the Check Point Security Management Server OPSEC adapter to discover and backup end nodes that are managed by the CPSMS versions NGX R60 to R77.

The following features are available with the Check Point Security Management Server OPSEC adapter:

  • OPSEC protocol

  • Dynamic NAT

  • Static NAT

  • Static routing

The CPSMS adapter is built on the OPSEC SDK 6.0, which supports Check Point products that are configured to use certificates that are signed by using SHA-1 only.

The following table describes the integration requirements for the CPSMS adapter.

Table 1: Integration Requirements for the CPSMS Adapter

Integration requirement

Description

Versions

NGX R60 to R77

Required credential parameters

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

Use the credentials that are set from Adding devices managed by a CPSMS console.

Supported connection protocols

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

CPSMS

Configuration requirements

To allow the cpsms_client to communicate with Check Point Management Server, the $CPDIR/conf/sic_policy.conf on CPSMS must include the following line:

# OPSEC applications defaultANY ; SAM_clients ;
ANY ; sam ; sslca, local, sslca_comp# sam
proxyANY ; Modules, DN_Mgmt ; ANY; sam ;
sslcaANY ; ELA_clients ; ANY ; ela ; sslca,
local, sslca_compANY ; LEA_clients ; ANY ; lea ;
sslca, local, sslca_compANY ; CPMI_clients; ANY
; cpmi ; sslca, local, sslca_comp

Required ports

The following ports are used by JSA Risk Manager and must be open on CPSMS:

Port 18190 for the Check Point Management Interface service (or CPMI)

Port 18210 for the Check Point Internal CA Pull Certificate Service (or FW1_ica_pull)

If you cannot use 18190 as a listening port for CPMI, then the CPSMS adapter port number must be similar to the value listed in the $FWDIR/conf/fwopsec.conf file for CPMI on CPSMS. For example, cpmi_server auth_port 18190.

Check Point Security Management Server HTTPS Adapter

Use the Check Point Security Management Server HTTPS adapter to discover and backup end nodes that are connected to firewall blades that are managed by the Security Management Server version R80.

The following features are available with the Check Point Security Management Server HTTPS adapter:

  • Static NAT

  • Static routing

  • HTTPS connection protocol

The following features are not supported by the Check Point Security Management Server adapter:

  • Dynamic objects (network objects)

  • Security Zones (network objects)

  • RPC objects (services)

  • DCE-RPC objects (services)

  • ICMP services (services)

  • GTP objects (services)

  • Compound TCP objects (services)

  • Citrix TCP objects (services)

  • Other services (services)

  • User objects

  • Time objects

  • Access Control Policy criteria negation

Note:

If you upgrade to the Check Point Security Management Server R80 from a previous version of Check Point SMS, you must rediscover your devices by using the Discover From Check Point HTTPS discovery method, even if your devices are recorded by Configuration Source Management.

The following table describes the integration requirements for the Check Point Security Management Server adapter.

Table 2: Integration Requirements for the Check Point Security Management Server Adapter

Integration requirement

Description

API process must be running on the SMS

To check the API status, log into the Management Server and type the following command on the cli: api status

API must allow requests from the JSA IP address

If all IP addresses are not allowed to access the Management API, you must give JSA Risk Manager access to it. To configure access on the SMS, go to Manage & Settings > Blades > Management API > Advanced Settings.

Versions

R80

Required credential parameters

To add credentials in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

Note:

You must add the credentials for the Check Point Security Management Server before you configure device discovery.

Enable Username - Used for the domain of a Domain Management Server.

Username

Password

Device discovery configuration

To configure device discovery in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

To configure the discovery method, click Discover From Check Point HTTPS, enter the IP address of the Check Point Security Management Server, and then click OK.

Discover From Check Point HTTPS

Supported connection protocols

To add protocols in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

HTTPS

User access level requirements

Read-write access all

Requested API endpoints

Use the following format to issue the listed commands to devices:

https://<managemenet server>:<port>/web_api/<ommand>

show-simple-gateways
show-hosts
show-networks
show-address-ranges
show-groups
show-groups-with-exclusion
show-services-tcp
show-services-udp
show-service-groups
show-packages
show-access-rulebase
show-nat-rulebase
run-script
show-task
Note:

The default permission profile "Read Only All" does not have one of the privileges required to integrate the HTTPS Adapter. You must add the "Run One Time Script" privelege to a permission profile.

Create a Check Point Custom Permission Profile to Permit JSA Risk Manager Access

To enable JSA Risk Manager access to the Check Point SMS HTTPS adapter API, you must create a permission profile on the Check Point Security Management Server that includes the "Run One Time Script" permission.

You can create a custom permission profile that includes this permission, but is less permissive than the "Read Write All" or "Read Only All" profile.

Note:

The custom profile does not work if the SMS version is R80.10 or higher and the gateway version is lower than R80.10. This configuration requires a Super User.

  1. On the SMS Console with SmartDashboard, click Manage & Settings > Permissions & Administrators > Permission Profiles.

  2. Click Create New Profile.

  3. On the Overview tab, select Customized.

  4. On the Gateways tab, select One Time Script.

  5. On the Access Control tab, select the following options:

    • Show Policy

    • Edit layers by the Software Blades – Leave the check boxes cleared.

    • NAT Policy – Set the permission to Read.

    • Access Control Objects and Settings – Set the permission to Read.

  6. On the Threat Prevention tab, select Settings and set the permission to Read.

  7. On the Others tab, select the following options:

    • Common Objects – Set the permission to Read.

    • Check Point Users Database – Set the permission to Read.

  8. On the Monitoring and Logging tab, leave the check boxes cleared.

  9. On the Management tab, select Management API Login.

    Note:

    Ensure that any options that are not listed in Steps 3 - 9 are not selected.

  10. Click OK and assign your user to this new permission profile.

Related Documentation