This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_W
Advisor
‎2022-05-31 07:16 AM

CheckPoint Umbrella Integration

Hi Mates,

anyone here that uses the Cisco Umbrella CheckPoint Integration?

https://support.umbrella.com/hc/en-us/articles/231248788

 

We're here on GW R80.40 and Management R81.10. Script is located in $FWDIR/bin on the Gateway. UserAlert1 is defined in GlobalProperties and a ThreatPrevention Rule is set to execute UserAlert1 when matched. But issue is that the script never gets triggered.

Manually execution of the script show's that it is communication with the Umbrella destination.
Every hint is very much appreciated 🙂 !

Cheers,

David

7 Replies
the_rock
Champion
Champion
‎2022-05-31 07:38 AM

Just a shot in the dark here, but do you see any relevant logs in dashboard? Anything related to script not being executed? If there is specific IP related to Cisco side, you can always try run fw ctl zdebug + drop | grep x.x.x.x on CP fw (just replace with relevant IP address)

Andy

0 Kudos
D_W
Advisor
‎2022-05-31 07:47 AM
In response to the_rock

I see a log to 67.215.70.75 (s-platform.api.opendns.com) when I manually execute the script.

I see the Threat Prevention rule matches and a log is generated with Type "Alert" but not log that shows outgoing traffic to 67.215.70.75.
Also I added some code that writes into a file when the script is running for logging if the script was executed or not but nothing...

0 Kudos
the_rock
Champion
Champion
‎2022-05-31 08:09 AM
In response to D_W

any errors?

Andy

0 Kudos
D_W
Advisor
‎2022-05-31 08:11 AM
In response to the_rock

No - are you aware of any CheckPoint Log File for the Tracking with "UserAlert1"?

0 Kudos
the_rock
Champion
Champion
‎2022-05-31 09:00 AM
In response to D_W

Have not seen it in a while.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-05-31 09:17 AM

Do the scripts exist on the gateways and can you confirm they execute correctly?

0 Kudos
D_W
Advisor
‎2022-06-01 12:09 AM
In response to PhoneBoy

Yes I can confirm that the script is on the GW and executes correctly when started manually... see below the details of the script and what comes back when I send bogus information executed manually.
In the curl_cli I had to add "-k" because the Let'SEncrypt Cert cannot be validated by the GW 😑

2022-06-01_08-30.png

0 Kudos