Configuring the BlueApp for Check Point

Role Availability Read-Only Investigator Analyst Manager

Before you can begin configuration, you must have the following information from your Check Point instance:

  • IP address or hostname
  • Port
  • Username and password
  • (Optional) Certificate Authority (CA) certificates

Check Point Configurations

You need to have the API configured to automatically start in order for USM Anywhere to communicate with the API. You should also allow API calls from all IP addresses. You also need a user account with read and write user permissions.

To set up your Check Point API

  1. Log in to the Check Point SmartConsole.
  2. Go to Manage & Settings > Blades > Management API and click the Advanced Settings button.
  3. Under Startup Settings, select the Automatic Start checkbox.
  4. Under Access Settings, select All IP addresses.

    Check Point API options

  5. Click OK.

To make sure your account has read and write permissions

  1. Log in to the Check Point SmartConsole.
  2. Go to Manage & Settings > Permissions and Administrators.
  3. Double click on your account.
  4. Under Permissions, click the Permissions Profile box and select Read Write All.
  5. Click OK.

To enable the AlienApp for Check Point

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter the following items:

    • IP address or hostname
    • Port
    • Username
    • Password
  7. Optionally, check Require CA certificate and Validate HTTPS host name if you want to use this option, and then enter the CA certificate.

    Note: If you want to deploy into your network and use a self-signed CA certificate, then you will need to upload it here. The certificate can be found in the /web/conf/server.crt file path.

  8. Click Save .
  9. Verify the connection.

    After USM Anywhere completes a successful connection to the Check Point APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Check Point connection.

Forward Check Point Syslog Messages to USM Anywhere

To fully integrate USM Anywhere with the BlueApp for Check Point, you need to configure syslog forwarding in the Check Point device or management server to send the events to your sensor. See the Check Point Log Exporter guide and follow the steps outlined in the Basic Deployment section to configure syslog forwarding.

Assign Your Assets

Because the AlienApp for Check Point is not auto-discovered A secure long-term log retention mechanism. By default, LevelBlue stores all data associated with a customer’s subdomain in cold storage for the life of the active USM Anywhere subscription at no additional charge., you must manually assign the BlueApp to the asset representing the Check Point device or management server’s IP address in USM Anywhere. If the BlueApp isn't assigned to any assets, the Check Point events will be handled by the LevelBlue Generic Data Source, which will result in some of the data from the log not being properly parsed or associated with the BlueApp.

See Assign Assets to BlueApps for instructions on how to assign your assets to AlienApp for Check Point.