- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi Mates,
anyone here that uses the Cisco Umbrella CheckPoint Integration?
https://support.umbrella.com/hc/en-us/articles/231248788
We're here on GW R80.40 and Management R81.10. Script is located in $FWDIR/bin on the Gateway. UserAlert1 is defined in GlobalProperties and a ThreatPrevention Rule is set to execute UserAlert1 when matched. But issue is that the script never gets triggered.
Manually execution of the script show's that it is communication with the Umbrella destination.
Every hint is very much appreciated 🙂 !
Cheers,
David
Just a shot in the dark here, but do you see any relevant logs in dashboard? Anything related to script not being executed? If there is specific IP related to Cisco side, you can always try run fw ctl zdebug + drop | grep x.x.x.x on CP fw (just replace with relevant IP address)
Andy
I see a log to 67.215.70.75 (s-platform.api.opendns.com) when I manually execute the script.
I see the Threat Prevention rule matches and a log is generated with Type "Alert" but not log that shows outgoing traffic to 67.215.70.75.
Also I added some code that writes into a file when the script is running for logging if the script was executed or not but nothing...
any errors?
Andy
No - are you aware of any CheckPoint Log File for the Tracking with "UserAlert1"?
Have not seen it in a while.
Do the scripts exist on the gateways and can you confirm they execute correctly?
Yes I can confirm that the script is on the GW and executes correctly when started manually... see below the details of the script and what comes back when I send bogus information executed manually.
In the curl_cli I had to add "-k" because the Let'SEncrypt Cert cannot be validated by the GW 😑
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY