Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_W
Advisor

CheckPoint Umbrella Integration

Hi Mates,

anyone here that uses the Cisco Umbrella CheckPoint Integration?

https://support.umbrella.com/hc/en-us/articles/231248788

 

We're here on GW R80.40 and Management R81.10. Script is located in $FWDIR/bin on the Gateway. UserAlert1 is defined in GlobalProperties and a ThreatPrevention Rule is set to execute UserAlert1 when matched. But issue is that the script never gets triggered.

Manually execution of the script show's that it is communication with the Umbrella destination.
Every hint is very much appreciated 🙂 !

Cheers,

David

7 Replies
the_rock
Champion
Champion

Just a shot in the dark here, but do you see any relevant logs in dashboard? Anything related to script not being executed? If there is specific IP related to Cisco side, you can always try run fw ctl zdebug + drop | grep x.x.x.x on CP fw (just replace with relevant IP address)

Andy

0 Kudos
D_W
Advisor

I see a log to 67.215.70.75 (s-platform.api.opendns.com) when I manually execute the script.

I see the Threat Prevention rule matches and a log is generated with Type "Alert" but not log that shows outgoing traffic to 67.215.70.75.
Also I added some code that writes into a file when the script is running for logging if the script was executed or not but nothing...

0 Kudos
the_rock
Champion
Champion

any errors?

Andy

0 Kudos
D_W
Advisor

No - are you aware of any CheckPoint Log File for the Tracking with "UserAlert1"?

0 Kudos
the_rock
Champion
Champion

Have not seen it in a while.

0 Kudos
PhoneBoy
Admin
Admin

Do the scripts exist on the gateways and can you confirm they execute correctly?

0 Kudos
D_W
Advisor

Yes I can confirm that the script is on the GW and executes correctly when started manually... see below the details of the script and what comes back when I send bogus information executed manually.
In the curl_cli I had to add "-k" because the Let'SEncrypt Cert cannot be validated by the GW 😑

2022-06-01_08-30.png

0 Kudos