- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: CheckPoint Umbrella Integration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CheckPoint Umbrella Integration
Hi Mates,
anyone here that uses the Cisco Umbrella CheckPoint Integration?
https://support.umbrella.com/hc/en-us/articles/231248788
We're here on GW R80.40 and Management R81.10. Script is located in $FWDIR/bin on the Gateway. UserAlert1 is defined in GlobalProperties and a ThreatPrevention Rule is set to execute UserAlert1 when matched. But issue is that the script never gets triggered.
Manually execution of the script show's that it is communication with the Umbrella destination.
Every hint is very much appreciated 🙂 !
Cheers,
David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a shot in the dark here, but do you see any relevant logs in dashboard? Anything related to script not being executed? If there is specific IP related to Cisco side, you can always try run fw ctl zdebug + drop | grep x.x.x.x on CP fw (just replace with relevant IP address)
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see a log to 67.215.70.75 (s-platform.api.opendns.com) when I manually execute the script.
I see the Threat Prevention rule matches and a log is generated with Type "Alert" but not log that shows outgoing traffic to 67.215.70.75.
Also I added some code that writes into a file when the script is running for logging if the script was executed or not but nothing...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any errors?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No - are you aware of any CheckPoint Log File for the Tracking with "UserAlert1"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have not seen it in a while.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do the scripts exist on the gateways and can you confirm they execute correctly?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I can confirm that the script is on the GW and executes correctly when started manually... see below the details of the script and what comes back when I send bogus information executed manually.
In the curl_cli I had to add "-k" because the Let'SEncrypt Cert cannot be validated by the GW 😑
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you solve the problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm also interested in the solution.