Configuring Check Point Open Platform for Security (OPSEC) Parent topic

Procedure

  1. On the Deep Discovery Inspector management console, go to AdministrationIntegrated Products/ServicesInline Products/Services.
  2. Select Check Point Open Platform for Security (OPSEC).
  3. Select a connection type.
    Note
    Note
    Ensure that your network configuration allows Deep Discovery Inspector to connect to the Check Point appliance.
    Deep Discovery Inspector may connect to the Check Point appliance through the secured connection port or clear connection port that is configured on the Check Point appliance. Deep Discovery Inspector also pulls the certificate from the Check Point appliance through port 18210.
    If you selected Secured connection, the OPSEC application name and SIC one-time password settings appear.
  4. Type the server address.
    Note
    Note
    The server address must be the IPv4 address or FQDN of the inline product.
  5. Type the port.
    Note
    Note
    This port must be the same port that is configured on the security gateway. For details, see Preconfiguring a Security Gateway.
  6. If you selected Secured connection, type the OPSEC application name and SIC one-time password.
    For more details, see Configuring a Secured Connection.
    Note
    Note
    If the one-time password is reset on the Check Point appliance, the new one-time password must be different than the previous one-time password.
  7. (Optional) Click Test Connection.
  8. Under Object Distribution, select Enabled.
    The Legal Statement opens.
  9. Read and accept the Legal Statement.
    Note
    Note
    To enable integration with this inline product/service, you must accept the Legal Statement.
  10. On your Check Point firewall appliance, preconfigure a security gateway. For details see Preconfiguring a Security Gateway.
  11. On the Check Point SmartConsole, do the following to configure your Check Point appliance for deploying suspicious objects and C&C callback addresses from Deep Discovery Inspector:
    1. On the SECURITY POLICIES tab, go to Access ControlPolicy.
      checkpoint_SecurityP.png
    2. To add a rule, click the Add rule above admin_intgr-prods_se_001.jpg icon.
    3. To configure the new policy, right-click the action.
    4. Change the action to Accept.
    5. Right-click the source.
      checkpoint_AddPolicy.png
    6. Select Add new items....
    7. Click the new icon (checkpoint_icon.jpg).
      checkpoint_AddPolicy_001.png
    8. Select Address RangesAddress Range....
      The New Address Range window appears.
      checkpoint_AddPolicy_002.png
    9. In the Enter Object Name field, type DDI.
    10. In First IP address, type the Deep Discovery Inspector IP address.
    11. In Last IP address, type the Deep Discovery Inspector IP address.
    12. Click OK.
    13. Right-click the destination.
    14. Select Add new items....
    15. Click the new icon (checkpoint_icon.jpg).
    16. Select Address RangesAddress Range....
      The New Address Range window appears.
      checkpoint_AddPolicy_002.png
    17. In the Enter Object Name field, type CheckPoint.
    18. In First IP address, type the CheckPoint IP address.
    19. In Last IP address, type the CheckPoint IP address.
    20. Click OK.
    21. Click Install Policy.
      The following window opens.
      checkpoint_SmartCons.png
    22. Click Publish & Install.
      The target gateway installs.
    23. Click Install.
      The Check Point appliance is enabled to receive suspicious objects and C&C callback addresses from Deep Discovery Inspector.
  12. On the Deep Discovery Inspector management console, configure the following criteria to send suspicious object and C&C callback address information from Deep Discovery Inspector to this inline product/service:
    • Object type:
      • C&C Callback Address
        • IPv4 address
      • Suspicious Object
        • IPv4 address
    • Risk level:
      • High only
      • High and medium
      • High, medium, and low
  13. Under Advanced Settings, select one of the following actions:
    • Reject: Packets will be rejected and a notification sent to the communicating peer that the packet has been rejected.
    • Drop: Packets will be dropped without sending the communicating peer a notification.
    • Notify: A notification about the defined activity will be sent but the activity will not be blocked.
  14. Click Save.
    The Distribute Now option appears.
  15. (Optional) Click Distribute Now to distribute suspicious objects and C&C callback addresses to Check Point immediately.
  16. To view suspicious objects and C&C callback addresses distributed by Deep Discovery Inspector on Check Point SmartView Monitor, do the following:
    1. On Check Point SmartConsole, go to Logs & Monitor.
    2. Add a new tab.
      checkpoint_NewTab.png
    3. Click Tunnels & User Monitoring to open SmartView Monitor.
    4. Click the Launch Menu icon and go to ToolsSuspicious Activity Rules.
      The Enforced Suspicious Activity Rules window opens.
    5. At Show On, select the target Check Point appliance name.
    6. Click Refresh.
    Suspicious objects and C&C callback addresses distributed by Deep Discovery Inspector are displayed.