Configuring Check Point Open Platform for Security (OPSEC) Parent topic

Procedure

  1. Configure your Check Point appliance.
    1. Check or configure the SAM communication mode ports on your Check Point appliance.
    2. Configure the OPSEC Application on your Check Point appliance.
    3. Enable purging of SAM file on your Check Point appliance.
      1. Open the Check Point SmartDashboard.
      2. Expand Other and go to SAM.
      3. Enable Purge SAM file when it reaches:.
      4. Specify the file size.
      5. Click OK.
      6. Save the
    4. Configure Security Policies on your Check Point appliance.
      1. Open the Check Point SmartConsole.
      2. On the SECURITY POLICIES tab, go to Access ControlPolicy.
        checkpoint_SecurityP.png
      3. To add a rule, click the Add rule above admin_intgr-prods_se_001.jpg icon.
      4. To configure the new policy, right-click the action.
      5. Change the action to Accept.
      6. Right-click the source.
        checkpoint_AddPolicy.png
      7. Select Add new items....
      8. Click the new icon (checkpoint_icon.jpg).
        checkpoint_AddPolicy_001.png
      9. Select Address RangesAddress Range....
        The New Address Range window appears.
        checkpoint_AddPolicy_002.png
      10. n the Enter Object Name field, type DDI.
      11. In First IP address, type the Deep Discovery Inspector IP address.
      12. In Last IP address, type the Deep Discovery Inspector IP address.
      13. Click OK.
      14. Right-click the destination.
      15. Select Add new items....
      16. Click the new icon (checkpoint_icon.jpg).
      17. Select Address RangesAddress Range....
        The New Address Range window appears.
        checkpoint_AddPolicy_002.png
      18. In the Enter Object Name field, type CheckPoint.
      19. In First IP address, type the CheckPoint IP address.
      20. In Last IP address, type the CheckPoint IP address.
      21. Click OK.
      22. Click Install Policy.
        The following window opens.
        checkpoint_SmartCons.png
      23. Click Publish & Install.
      24. Click Install.
        The Check Point appliance is enabled to receive suspicious objects and C&C callback addresses from Deep Discovery Inspector.
  2. Configure Deep Discovery Inspector.
    1. On the Deep Discovery Inspector management console, go to AdministrationIntegrated Products/ServicesInline Products/Services.
    2. Select Check Point Open Platform for Security (OPSEC).
    3. Select a connection type.
      Note
      Note
      Ensure that your network configuration allows Deep Discovery Inspector to connect to the Check Point appliance.
      Deep Discovery Inspector may connect to the Check Point appliance through the secured connection port or clear connection port that is configured on the Check Point appliance. Deep Discovery Inspector also pulls the certificate from the Check Point appliance through port 18210.
      If you selected Secured connection, the OPSEC application name and SIC one-time password settings appear.
    4. Type the server address.
      Note
      Note
      The server address must be the IPv4 address or FQDN of the inline product.
    5. Type the port.
      Note
      Note
      This port must be the same port that is configured on the security gateway. For details, see Preconfiguring a Security Gateway.
    6. If you selected Secured connection, type the OPSEC application name and SIC one-time password.
      For more details, see Configuring a Secured Connection.
      Note
      Note
      If the one-time password is reset on the Check Point appliance, the new one-time password must be different than the previous one-time password.
    7. (Optional) Click Test Connection.
    8. Under Object Distribution, click Enabled.
      The Legal Statement opens.
    9. Read and accept the Legal Statement.
      Note
      Note
      To enable integration with this inline product/service, you must accept the Legal Statement.
    10. (Optional) Select a new Frequency.
    11. Configure the following criteria to send suspicious object and C&C callback address information from Deep Discovery Inspector to your Check Point appliance:
      • Object type:
        • C&C Callback Address
          • IPv4 address
        • Suspicious Object
          • IPv4 address
      • Risk level:
        • High only
        • High and medium
        • High, medium, and low
    12. Under Advanced Settings, select one of the following actions:
      • Reject: Packets will be rejected and a notification sent to the communicating peer that the packet has been rejected.
      • Drop: Packets will be dropped without sending the communicating peer a notification.
      • Notify: A notification about the defined activity will be sent but the activity will not be blocked.
    13. Click Save.
    14. (Optional) Click Distribute Now to distribute suspicious objects and C&C callback addresses to Check Point immediately.
  3. To view suspicious objects and C&C callback addresses distributed by Deep Discovery Inspector on Check Point SmartView Monitor, do the following:
    1. On Check Point SmartConsole, go to Logs & Monitor.
    2. Add a new tab.
      checkpoint_NewTab.png
    3. Click Tunnels & User Monitoring to open SmartView Monitor.
    4. Click the Launch Menu icon and go to ToolsSuspicious Activity Rules.
      The Enforced Suspicious Activity Rules window opens.
    5. At Show On, select the target Check Point appliance name.
    6. Click Refresh.
    Suspicious objects and C&C callback addresses distributed by Deep Discovery Inspector are displayed.