Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor
Jump to solution

Forescout NAC Integration with checkpoint EDR (Endpoint)

Hi Team,

As of my old query which one is to integration with Checkpoint Management Server which gives us the Firewall Threat Prevention detection and Remediates information on ForeScout.

Link: https://community.checkpoint.com/t5/Logging-and-Reporting/Forescout-Integration-with-checkpoint-mana...

Now My requirement is about to see the information on ForeScout of all the Endpoint Client which installed in our Infra.

Information needs to visible on ForeScout such as:-

1. Endpoint Client Version

2. Checkpoint Endpoint Services

3. Encryption Status of all connected clients

4. Antimalware Updates

As of now we able to achieve point first, Second and third.

 

CP Endpoint Version InformationCP Endpoint Version Information

screenshot 02screenshot 02

 

We try to add the Checkpoint EDR on ForeScout antivirus policy but unable to see the Checkpoint vendor name but we able to see the checkpoint vendor on the encryption section on ForeScout policy and after added the checkpoint on encryption policy (ForeScout) then we able to see the encryption status. (Above Screenshot 02).

But as I check with ForeScout team and find that a custom policy needs to be created on ForeScout for Antimalware visibility in order to posture the Checkpoint Antimalware updates but ForeScout required a DAT file from Checkpoint Endpoint Agent.

But I unable to find which DAT file required also that file must be stored the Anti-Malware Signature version information (in Checkpoint Endpoint). 

Basically, other third-party vendors have contained DAT file in each of the machines and that DAT file will usually update once a new signature fetched by the client from Server.

Kindly help whether it's possible to see on ForeScout that, whether the Checkpoint Antimalware Signature is up-to-date or not Because the NAC agent have that functionality to move the machine to an isolated network if the Endpoint machine antimalware or antivirus signature is not up to date and this functionality is very important for most of the organization.

 

Thanks and Regards

@Chinmaya_Naik 

1 Solution

Accepted Solutions
Chinmaya_Naik
Advisor

Hi Team,

Find the below details that we are able to see on the ForeScout NAC dashboard.

1. Endpoint Client Version

2. Checkpoint Endpoint Services

3. Encryption Status of all connected clients

4. Antimalware Updates (SOLVED)

By Default Forescout only provide Endpoint Client version, Services, and Encryption status.

If you also want to see the real-time visibility for Antimalware on ForeScout then you need to create a custom policy configuration in Forescout.

If you open the ForeScout antimalware policy then you unable to find the Checkpoint vendor but you able to see more then 30 AV vendor lists but the best part about the ForeScout is if the vendor is not on the list then also you achieve your requirement by creating a custom policy for antimalware.

One solution we can do it if we have a DAT file because inside the DAT file we able to see the AV signature version so basically that DAT file will frequently update base on the configuration so by using that "AV signature version string" inside the DAT file we able to create a custom configuration in ForeScout BUT we unable to find DAT file in Checkpoint EDR installed directory.

The second solution is that we create a custom policy for checkpoint antimalware. Basically, if we open the sandblast Agent then we able to see the status on Antimalware by two string first is "not up to date" and the second is  "Last update was ..." so we create a custom configuration in ForeScout by using this two string by creating a condition AND now this one working for us🤗

Below images for the reference.

forescout antmalware status.png

Regards

@Chinmaya_Naik 

View solution in original post

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
For awareness typically Check Point Endpoint doesn't need a 3rd party NAC for this use case. The Compliance blade and host based firewall can restrict the Endpoint.

We also provide a hierarchy of update sources: policy server / internet / other, that is configurable to help ensure the clients can always be updated.
CCSM R77/R80/ELITE
0 Kudos
Chinmaya_Naik
Advisor

Hi Team,

Find the below details that we are able to see on the ForeScout NAC dashboard.

1. Endpoint Client Version

2. Checkpoint Endpoint Services

3. Encryption Status of all connected clients

4. Antimalware Updates (SOLVED)

By Default Forescout only provide Endpoint Client version, Services, and Encryption status.

If you also want to see the real-time visibility for Antimalware on ForeScout then you need to create a custom policy configuration in Forescout.

If you open the ForeScout antimalware policy then you unable to find the Checkpoint vendor but you able to see more then 30 AV vendor lists but the best part about the ForeScout is if the vendor is not on the list then also you achieve your requirement by creating a custom policy for antimalware.

One solution we can do it if we have a DAT file because inside the DAT file we able to see the AV signature version so basically that DAT file will frequently update base on the configuration so by using that "AV signature version string" inside the DAT file we able to create a custom configuration in ForeScout BUT we unable to find DAT file in Checkpoint EDR installed directory.

The second solution is that we create a custom policy for checkpoint antimalware. Basically, if we open the sandblast Agent then we able to see the status on Antimalware by two string first is "not up to date" and the second is  "Last update was ..." so we create a custom configuration in ForeScout by using this two string by creating a condition AND now this one working for us🤗

Below images for the reference.

forescout antmalware status.png

Regards

@Chinmaya_Naik 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events