Check Point Security Management Server HTTPS adapter

Use the Check Point Security Management Server HTTPS adapter to discover and backup end nodes that are connected to firewall blades that are managed by the Security Management Server or a Domain Management Server version R80 or later.

Tip: Discovery from the multi-domain server is not supported. Instead, target the virtual Domain Management Server.
The following features are available with the Check Point Security Management Server HTTPS adapter:
  • Static NAT
  • Static routing
  • HTTPS connection protocol
The following features are not supported by the Check Point Security Management Server adapter:
  • Dynamic objects (network objects)
  • Security Zones (network objects)
  • RPC objects (services)
  • DCE-RPC objects (services)
  • ICMP services (services)
  • GTP objects (services)
  • Compound TCP objects (services)
  • Citrix TCP objects (services)
  • Other services (services)
  • User objects
  • Time objects
  • Access Control Policy criteria negation
Important: If you upgrade to the Check Point Security Management Server R80 or later from a previous version of Check Point SMS, you must rediscover your devices by using the Discover From Check Point HTTPS discovery method, even if your devices are recorded by Configuration Monitor.

The following table describes the integration requirements for the Check Point Security Management Server adapter.

Table 1. Integration requirements for the Check Point Security Management Server adapter
Integration requirement Description
API process must be running on the SMS To check the API status, log in to the Management Server and type the following command on the cli: api status
API must allow requests from the QRadar® IP address If all IP addresses are not allowed to access the Management API, you must give QRadar Risk Manager access to it. To configure access on the SMS, go to Manage & Settings > Blades > Management API > Advanced Settings.

Versions

R80–R81.10

Required credential parameters

To add credentials in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab.

Important: You must add the credentials for the Check Point Security Management Server before you configure device discovery.

Enable Username - Used for the domain of a Domain Management Server.

Username

Password

Device discovery configuration

To configure device discovery in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab.

To configure the discovery method, click Discover From Check Point HTTPS, enter the IP address of the Check Point Security Management Server, and then click OK.

 Discover From Check Point HTTPS

Supported connection protocols

To add protocols in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab.

HTTPS
User access level requirements

Read-write access all

Requested API endpoints

Use the following format to issue the listed commands to devices:

https://<managemenet server>:<port>/web_api/<command>

show-simple-gateways

show-hosts

show-networks

show-address-ranges

show-groups

show-groups-with-exclusion

show-services-tcp

show-services-udp

show-service-groups

show-packages

show-access-rulebase

show-nat-rulebase

run-script

show-task
Important:
  • The adapter cannot retrieve all the necessary data directly from the Check Point REST API. To obtain all the necessary data, the adapter uses the run-script endpoint to run the following Check Point CLI commands:
    ip address
    hostname
    route -n
  • The default permission profile "Read Only All" does not have one of the privileges that are required to integrate the HTTPS Adapter. You must add the "Run One Time Script" privilege to a permission profile. You can create a custom permission profile that is less permissive than "Read Write All" and "Read Only All," but contains the required permission. For more information, see Create a Check Point custom permission profile to permit QRadar Risk Manager access.