Check Point Next Generation Threat Prevention integration
Summarize
Summary of Check Point Next Generation Threat Prevention integration
This integration enables ServiceNow Security Incident Response (SIR) customers to leverage Check Point Next Generation Threat Prevention (NGTP) capabilities by synchronizing Block Request Lists between ServiceNow and Check Point Gateways. Security incident analysts can block malicious IP addresses, URLs, and domains directly from ServiceNow SIR incidents. The blocked observables are enforced by Check Point’s Anti-Virus and Anti-Bot blades via a Custom Intelligence Feed configured on the gateways.
Show less
The integration allows ServiceNow to serve as the source of truth for malicious entities, providing a CSV-based Block List hosted on the ServiceNow AI Platform instance. Check Point’s Threat Prevention Engine dynamically fetches and enforces these lists without requiring firewall commits or configuration changes after initial setup.
Key Features
- Support for multiple Block Lists applicable to multiple Check Point Gateways for flexible threat management.
- Detailed reporting on blocked site categories such as phishing, malware, and allow-listed sites to enhance visibility.
- Automatic tagging of ServiceNow incidents with Block List entries by observable type (IP, URL, domain) for better traceability.
- Configurable expiration periods to automatically remove outdated Block List entries and maintain manageable list sizes.
- Search capability across different Block Lists to streamline threat investigation and response.
- Linkage of Block List entries to observable records and security incidents, providing context and threat intelligence details.
Integration Requirements and Configuration
- Activate the ServiceNow Security Incident Response plugin (com.snc.securityincident) before installing the Check Point integration plugin from the ServiceNow store.
- Supported Check Point OS versions are R80.20 and later, with the Custom Intelligence Feed feature and Anti-Bot and Anti-Virus blades enabled. A hotfix (Check Point R80.10 Jumbo HF take 121 or later) is required for earlier versions.
- Supported ServiceNow platform versions start from San Diego release onward.
- Ensure Check Point gateway commands for Custom Intelligence Feed are accessible via SSH expert mode.
- Required ServiceNow roles include Administrator for installation, Security Incident Administrator for managing Block Lists, and Security Analyst for maintaining Block List entries.
Benefits for ServiceNow Customers
By integrating with Check Point NGTP, ServiceNow customers can automate and streamline threat prevention workflows by directly blocking malicious entities identified in security incidents. This reduces manual effort for SOC teams, improves response times, and ensures consistent enforcement of blocking policies across Check Point gateways.
The dynamic, automated import of block lists without firewall reconfiguration also minimizes operational disruption, allowing security teams to focus on incident investigation and remediation.
This document describes the steps required to integrate Check Point Next Generation Threat Prevention (NGTP) capabilities with ServiceNow® Security Incident Response (SIR) so that applications function properly together.
Once installed and configured, the security incident analyst uses this integration to block malicious IP addresses, URLs, and Domains using Block Request List capabilities with the ServiceNow Security Incident Response (SIR) products. This Block Request List is configured on Check Point Gateways as a Custom Intelligence Feed. The Custom Intelligence Feeds feature provides an ability to add custom cyber intelligence feeds into the Next Generation Threat Prevention engine. It allows fetching feeds from a third-party server, in this case the ServiceNow Security Incident Response application, directly to the Check Point Next Generation Gateway to be enforced by Anti-Virus and Anti-Bot blades. The security incident response analyst creates entries for Check Point Block List from observables determined to be malicious on ServiceNow SIR security incidents.
For most implementations, a Block Request List is a csv file that is hosted on an external web server. For this integration, this web server is your ServiceNow AI Platform instance, which permits the Check Point next-generation Threat Prevention Engine to fetch the list of IP Addresses, URLs and Domains to be blocked.
To enforce the blocking observables on Check Point Gateway, ensure that Threat Prevention Policy is configured with Anti-Bot and Anti-Virus Blades activated. As the Block List entries are modified, the Threat Prevention Engine dynamically imports the list at the configured interval and enforces policy without a configuration change or a commit on the firewall. For this integration, ServiceNow AI Platform has created a table containing Block List entries that are retrieved by authorized Check Point next-generation Gateway at the configured retrieval intervals.
- Flexibility to create multiple Block Lists that apply to multiple Check Point Gateways.
- Detailed reporting on the types of sites being blocked (phishing, malware, and allow listed sites).
- Tagging of ServiceNow AI Platform security incidents with Block List entries by the observable type (URL, domain, IP address).
- Configuring Block List expiration periods to maintain Block List size by automatically expiring or removing older entries.
- Searching Block List entries between different Block Lists.
- Linking Block List entries to observable records and security incidents that include threat intelligence results and details about why an entry is blocked.
Integration architecture diagram
Below is the high-level architecture diagram depicting the components involved and integration points between NOW Platform and Check Point Systems.
Plugins
The integration requires that the Security Incident Response (com.snc.security_incident) plugin be activated.
- Log in to your instance with your HI credentials.
- Verify you have the administrator (admin) role.
- Navigate to System Definition>plugins in your instance.
- Select and click Security Incident Response.
Once these plugins have been installed, you are able to upload the new Check Point integration plugin from the ServiceNow store and follow the following configuration instructions.
Supported Check Point OS versions
This integration requires the Custom Intelligence Feed of Check Point and Anti-Bot and Anti-Virus blades. These are supported from R80.20 and higher. Install the hot fix of Custom Intelligence Feature known as Check Point R80.10 Jumbo HF take 121 and above. Refer to the Check Point Custom Intelligence Feed Documentation’s Installation section for more information on product compatibility matrix.
After installing the hot fix, ensure that below commands are accessible on Check Point Gateway. SSH to the Gateway and login to expert mode.
Supported ServiceNow versions
San Diego release version or later is supported.
References
- Custom Intelligence Feeds Feature - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193
- To set up Anti-Bot and Anti-Virus blades refer the Check Point User Guide. http://downloads.checkpoint.com/dc/download.htm?ID=46534
- To set up HTTPS Inspection on Check Point follow the link below. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202
Permissions and roles
- Administrator (admin) for installation of the integration application plugin
- Security incident administrator (sn_si.admin) for creating Block Lists in ServiceNow and approving requests for adding and deactivating Blocklist Entries.
- Security analyst (also referred to here as a SOC Analyst, sn_si.analyst) for creating and maintaining Block List Entry records.
For more information on assigning the security analyst role, on the ServiceNow documentation website, navigate to Security operations>Security Incident Response> Assigning security analysts.