This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_W
Advisor
‎2022-05-31 07:16 AM

CheckPoint Umbrella Integration

Hi Mates,

anyone here that uses the Cisco Umbrella CheckPoint Integration?

https://support.umbrella.com/hc/en-us/articles/231248788

 

We're here on GW R80.40 and Management R81.10. Script is located in $FWDIR/bin on the Gateway. UserAlert1 is defined in GlobalProperties and a ThreatPrevention Rule is set to execute UserAlert1 when matched. But issue is that the script never gets triggered.

Manually execution of the script show's that it is communication with the Umbrella destination.
Every hint is very much appreciated 🙂 !

Cheers,

David

9 Replies
the_rock
Legend
Legend
‎2022-05-31 07:38 AM

Just a shot in the dark here, but do you see any relevant logs in dashboard? Anything related to script not being executed? If there is specific IP related to Cisco side, you can always try run fw ctl zdebug + drop | grep x.x.x.x on CP fw (just replace with relevant IP address)

Andy

0 Kudos
D_W
Advisor
‎2022-05-31 07:47 AM
In response to the_rock

I see a log to 67.215.70.75 (s-platform.api.opendns.com) when I manually execute the script.

I see the Threat Prevention rule matches and a log is generated with Type "Alert" but not log that shows outgoing traffic to 67.215.70.75.
Also I added some code that writes into a file when the script is running for logging if the script was executed or not but nothing...

0 Kudos
the_rock
Legend
Legend
‎2022-05-31 08:09 AM
In response to D_W

any errors?

Andy

0 Kudos
D_W
Advisor
‎2022-05-31 08:11 AM
In response to the_rock

No - are you aware of any CheckPoint Log File for the Tracking with "UserAlert1"?

0 Kudos
the_rock
Legend
Legend
‎2022-05-31 09:00 AM
In response to D_W

Have not seen it in a while.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-05-31 09:17 AM

Do the scripts exist on the gateways and can you confirm they execute correctly?

0 Kudos
D_W
Advisor
‎2022-06-01 12:09 AM
In response to PhoneBoy

Yes I can confirm that the script is on the GW and executes correctly when started manually... see below the details of the script and what comes back when I send bogus information executed manually.
In the curl_cli I had to add "-k" because the Let'SEncrypt Cert cannot be validated by the GW 😑

2022-06-01_08-30.png

0 Kudos
starmen2000
Advisor
Advisor
‎2023-11-20 01:31 AM
In response to D_W

Do you solve the problem?

0 Kudos
6a8496cf-c878-4
Explorer
Explorer
‎2023-11-22 05:46 AM
In response to D_W

I'm also interested in the solution.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 07 Oct 2025 @ 09:30 AM (CEST)

    CheckMates Live Denmark!
    CheckMates Events