Table of Contents:

1. Introduction
2. Prerequisites
3. Configuration Procedure
4. Appendix
   • Installing Add-On on Security Management Server
   • Viewing IntelliStore Hits in the User Center
   • Purchasing/Evaluating relevant IntelliStore feeds
   • Validating Feed Licensing and Entitlement
   • Reporting False Positives or Bad Classifications
   • Testing IntelliStore Feeds
5. Related solutions

 

(I) Introduction

This article provides a step-by-step guide for configuring and evaluating ThreatCloud IntelliStore - a unique threat intelligence marketplace that enables organizations to select intelligence feeds that will automatically prevent cyberattacks. IntelliStore is an extension of Check Point's core security intelligence infrastructure ? ThreatCloud?, which delivers threat data from a worldwide network of threat sensors.

This article is intended for Network Administrators, using Check Point R77.20 and above.

 

(II) Prerequisites

1. The IntelliStore is supported on Security Gateway version R77.20 and above running on Gaia OS or SecurePlatform 2.6 OS.
2. Both Anti-Virus blade and Anti-Bot blade must be enabled on Security Gateway.
3. (Optional) To view IntelliStore Hits in the User Center:
   
   • R77.30 Add-On must be installed on R77.30 Security Management Server.
   • R77.20 Add-On must be installed on R77.20 Security Management Server.

 

(III) Configuration Procedure

Configuration Procedure consists of two steps.

1. Step 1 - Installing a hotfix on Security Gateway R77.20

   Note: This step applies only to R77.20.

   On Security Gateway R77.20, follow the instructions in sk102649 - Security Gateway R77.20 fails to fetch new IntelliStore feeds.
   
   

2. Step 2 - Activating the feeds on Security Gateway

   If you have not already purchased or evaluated IntelliStore feeds, then refer to "Appendix - Purchasing/Evaluating relevant IntelliStore feeds" section.

   1. Log in to the User Center.
      
      

   2. Go to ASSETS/INFO tab - click on Product Center:

      
      
      

   3. Go to the Services tab. In the left upper corner, select the relevant account:

      
      
      

   4. Verify you have valid ThreatCloud IntelliStore feeds.

      Note: If you do not have valid feeds, then refer to section "Appendix - Purchasing/Evaluating relevant IntelliStore feeds".

      Example:

      
      
      

   5. Bind the IntelliStore feed to the selected Security Gateway(s) by clicking on the feed's name.

      Example:

      
      
      

   6. Choose on which Security Gateways you would like to activate the IntelliStore feeds:

      • Automatic on All Gateways
      • Manual on Selected Gateways
      
      
      
      

   7. Select the feed policy for the Security Gateway:

      • Use Gateway Policy & Hit Analysis
      • Log & Hit Analysis
      • Hit Analysis
      • Inactive

      Note: The policy selection would affect the Security Gateway only if you have installed the Management Add-On (as described in the "Appendix - Installing Add-On on Security Management Server" section). If the Management Add-On is not installed, then the feeds will use the Security Gateway's default settings.

      

      Policy feed selection options:

      
      
      

   8. Click on Save button in the upper right corner.

      Example:

      
      
      
   9. Repeat Steps E-G for each of the IntelliStore feeds.
      
      
   10. Connect with SmartDashboard to Security Management Server / Domain Management Server.
       
       
   11. Install the Network Security and Threat Prevention policy onto the selected Security Gateways.
       
       
   12. Verify the feeds have been updated on the selected Security Gateways. Refer to the "Appendix - Validating Feed Licensing and Entitlement" section.

 

(IV) Appendix

 

Appendix - Installing Add-On on Security Management Server

The Management Add-On provides the ability to integrate the User Center to the Security Gateways as well as to view IntelliStore feed hits and analysis in the User Center website. This Add-On is a prerequisite to view IntelliStore Hits in the User Center.

Follow the instructions in:

• sk105412 - R77.30 Add-On.
• sk101217 - R77.20 Add-On.

 

Appendix - Viewing IntelliStore Hits in the User Center

1. Install the Management Add-On as described in:

   • sk105412 - R77.30 Add-On.
   • sk101217 - R77.20 Add-On.
   
   
   
2. Connect with SmartDashboard to Security Management Server / Domain Management Server.
   
   
3. Open the properties of the involved Security Gateway / Cluster object.
   
   
4. Go to Anti-Bot and Anti-Virus pane.
   
   

5. Check the following boxes in the Check Point ThreatCloud section:

   • Share anonymous attack information with Check Point ThreatCloud
   • Allow me to view attack statistics in my User Center account
   
   
   
   
6. Click on OK to apply the changes.
   
   
7. Install the policy on this Security Gateway / Cluster object.
   
   
8. Log in to the User Center.
   
   

9. Go to ASSETS/INFO tab - click on Product Center:

   
   
   

10. Go to the Services tab. In the left upper corner, select the relevant account:

    
    
    
11. In the ThreatCloud IntelliStore line, click on the number in the Valid column.
    
    

12. Click on Show IntelliStore Hits button.

    Example:

    
    
    

13. A resulting table will be displayed outlining the hit count from all valid feeds during the last 30 days.

    Note: The hit count in the User Center may take up to 2 hours to update.

    Example:

    
    
    
14. In the resulting table, you can click any of the hit count numbers to get a detailed report of the detected malware.
    
    

15. You can also click on any one of the tabs to view analysis of the hits per severity, trend line, or to compare the different active feeds.

    Example of Trend Line:

    

 

Appendix - Purchasing/Evaluating relevant IntelliStore feeds

1. Log in to the User Center.
   
   

2. Go to SALES TOOLS tab - click on Product Catalog & Quoting:

   
   
   

3. Click on NETWORK SECURITY tab - in the section Security Cloud Services & Mobility, click on ThreatCloud IntelliStore:

   
   
   

4. Click on each feed, in which you are interested:

   • For evaluating this feed, click on Try Now button.
   • For purchasing this feed, click on Select button.

   Example:

   
   
   

5. Make sure you select the account, in which you would like to activate the feeds.

   Example:

   
   
   
6. Once you have selected your feeds, you should be able to see them in your User Center Services section, as detailed in Step 3 above.

 

Appendix - Validating Feed Licensing and Entitlement

Note: It may take several minutes (up to 5) for the feeds to get updated on the Security Gateway after activating them in the User Center.

1. Connect with SmartView Monitor to Security Management Server / Domain Management Server.
   
   
2. In the upper right pane, select the relevant Security Gateway / cluster member.
   
   

3. In the lower pane, in the Anti-Bot & Anti-Virus section, click on More...

   Example:

   
   
   

4. Scroll to the bottom of the displayed screen - in the lower left corner, click on ThreatCloud IntelliStore link.

   Example:

   
   
   

5. Verify that the appropriate feeds are listed (Anti-Virus and Anti-Bot).

   Example:

   
   
   
6. For R77.20 and R77.30 only: Refer to sk104601 - Check Point ThreatCloud IntelliStore partners names mapping.

 

Appendix - Reporting False Positives or Bad Classifications

Each vendor is responsible for the quality and validity of his feed. If you feel events triggered are erroneous or false positives, you can report them using the following procedure:

1. Connect with SmartEvent GUI to SmartEvent Server.
   
   
2. Go to Threat Prevention tab.
   
   
3. Locate the event you would like to report.
   
   

4. Right-click on the event - click on "Report Event to Check Point".

   Example:

   
   
   

5. You may add any additional information, which can help the feed vendor asses your incident.
   If you would like to receive updates or correspondence from the vendor, then add your e-mail address.

   Example:

   
   
   
6. Click on Send button.

 

You may also report a wrong classification in Check Point UserCheck screen when "Prevent" mode is configured in the appropriate policy. The UserCheck screen is visible to the end-customers who trigger an Anti-Virus or an Anti-Bot event.

Reporting a wrong classification can be performed by clicking the link as illustrated in the example below:

 

Appendix - Testing IntelliStore Feeds

You may use the table below to verify the IntelliStore feeds are indeed identified by the Security Gateways (through the SmartLog or SmartView Tracker).

If you have installed and configured the R77.20/R77.30 Add-On, you should be able to see the hits analysis in the User Center (allow 2 hours for hits to be presented).

The links below are harmless and do NOT include any malware.

Important Note: Make sure you have configured the feeds correctly and checked for licensing entitlement BEFORE clicking these links (refer to "Validating Feed Licensing and Entitlement" section). If you click these links before the feeds have been updated, your Security Gateway will include the test domain as benign to the Security Gateway's cache. It may take as long as 24 hours for the Security Gateway's cache to clear and re-check ThreatCloud.

Vendor	Anti-Virus Test link	Anti-Bot Test link
CrowdStrike	http://www.threat-cloud.com/IntelliStore/test/CrowdStrike_test.html	http://www.threat-cloud.com/IntelliStore/test/CrowdStrike_test_AB.html
IID	http://www.threat-cloud.com/IntelliStore/test/IID_test.html	http://www.threat-cloud.com/IntelliStore/test/IID_test_AB.html
iSIGHT Partners	http://www.threat-cloud.com/IntelliStore/test/iSIGHT_Partners_test.htm	http://www.threat-cloud.com/IntelliStore/test/iSIGHT_Partners_test_AB.htm
Malware Patrol	http://www.threat-cloud.com/IntelliStore/test/Malware_Patrol_test.html	http://www.threat-cloud.com/IntelliStore/test/Malware_Patrol_test_AB.html
Mnemonic	http://www.threat-cloud.com/IntelliStore/test/Mnemonic_test.html	http://www.threat-cloud.com/IntelliStore/test/Mnemonic_test_AB.html
NetClean	http://www.threat-cloud.com/IntelliStore/test/NetClean_test.html	This vendor has no Anti-Bot
Norse	http://www.threat-cloud.com/IntelliStore/test/Norse_test.html	http://www.threat-cloud.com/IntelliStore/test/Norse_test_AB.html
PhishLabs	http://www.threat-cloud.com/IntelliStore/test/PhishLabs_test.htm	http://www.threat-cloud.com/IntelliStore/test/PhishLabs_test_AB.htm
SentryBay	http://www.threat-cloud.com/IntelliStore/test/SentryBay_test.htm	http://www.threat-cloud.com/IntelliStore/test/SentryBay_test_AB.htm
SenseCy	http://www.threat-cloud.com/IntelliStore/test/SenseCy_test.html	http://www.threat-cloud.com/IntelliStore/test/SenseCy_test_AB.html
ZeroFOX	http://www.threat-cloud.com/IntelliStore/test/ZeroFox_test.html	This vendor has no Anti-Bot

 

(V) Related solutions

• sk105412 - R77.30 Add-On
  
  
• sk101217 - R77.20 Add-On
  
  
• sk102649 - Security Gateway R77.20 fails to fetch new IntelliStore feeds
  
  
• sk104601 - Check Point ThreatCloud IntelliStore partners names mapping

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.