Support Center > Search Results > SecureKnowledge Details
Check Point Browser Extension or Threat Prevention API - working with a Security Gateway or SandBlast Threat Emulation appliance Technical Level
Solution

Table of Contents

  • Introduction
  • Installing the Security Gateway and Jumbo Hotfixes
  • Configuring Threat Emulation and Threat Extraction
  • Enabling the Threat Prevention API
  • Ensuring the Security Gateway Portal Certificate is Valid
  • Installation of SandBlast Threat Emulation appliance certificate on Endpoint clients
  • Configuring the Threat Extraction profile name and rule ID

 

Introduction

This article describes how to configure a Security Gateway or SandBlast Threat Emulation appliance to work with the Check Point browser extension for Harmony Browse and Harmony Endpoint.

To support Threat Emulation and Threat Extraction, a Security Gateway with the hotfix and configuration below is needed. Zero Phishing uses the Security Gateway only to report logs, not for enforcement.

The Check Point browser extension for Harmony Browse and Harmony Endpoint is supported only when the Security Gateway is configured to perform Threat Emulation locally, or on Check Point ThreatCloud.

Connecting the Check Point browser extension directly to a Threat Emulation appliance is supported. In that case, perform the following  configurations on the Threat Emulation appliance and not on the Security Gateway.

Installing the Security Gateway and Jumbo Hotfixes

  1. Make sure the the Security Gateway has two network interfaces.

  2. Install R80.x or higher on the Security Gateway. Either in a distributed deployment, with a Security Gateway and Security Management Server on different computers, or in a standalone deployment on one computer.
  3. For R80.10 Security Gateway, install the R80.10 Jumbo Hotfix on the Security Gateway.
    For other releases, there is no need to install a hotfix. 

Configuring Threat Emulation and Threat Extraction

  1. In SmartConsole:

    1. Firewall tab: configure the Firewall Rulebase.

    2. Security Gateway object: define the Topology.

    3. Install the Access Policy.

    4. In the Security Gateway object properties:

      1. Enable the Threat Extraction blade. When the wizard opens, select Skip this configuration now -> click Next -> click Finish.
      2. Enable the Threat Emulation blade.


    5. In the UserCheck tab:

      1. Configure the portal to work over HTTPS:
        Go to UserCheck settings -> Main URL and make sure the URL starts with "https://" and ends with "/UserCheck"
        Note: Do not enter this url in the Sandblast Browser 'Connected Servers' configuration page. Just enter the DNS address of the Gateway or it's IP address.
      2. Change the main URL from IP-based to FQDN.  For example:
        "https://CheckPoint.com/UserCheck".
      3. Install a valid certificate for the UserCheck portal. Under Certificate, click Import.... See more details in the "Portal Certificate" section below.
      4. If the Check Point browser extension connects to the Security Gateway on its external interface, then also configure:
        UserCheck settings -> Accessibility -> Accessible from all interfaces

        Important Note: by setting UserCheck accessible to all interfaces, the Security Gateway can receive requests from the Internet. To verify the API key is configured, see the "Enabling the Threat Prevention API" section below.


    6. Install the Access policy.

  2. Enable a Threat Prevention rule at position 1 that has a Threat Prevention Profile called "Recommended_Profile" on the relevant Appliance or Gateway. The profile name is case sensitive.

    In this profile, you must enable Threat Extraction. By default the plugin looks for an active rule 1 with a profile called "Recommended_Profile". If this does not exist, the Threat Extraction request fails.

    The rule number and profile name can be changed by editing the registry keys tex_profile_name and te_rule_id .
    For the procedure, refer to:
    • sk108695 - for a Standalone extension managed by GPO
    • sk121392 - for SandBlast extensions managed by the Endpoint Management Server.

Enabling the Threat Prevention API on the Security Gateway

  1. Use the GuiDBedit Tool:

    1. Close all SmartConsole windows.

    2. Connect with the GuiDBedit Tool to the Security Management Server or the Domain Management Server.

    3. Press CTRL+F and search for all the enable_scrub_web_service fields
    4. Set their values to true. Make sure you change all of them.

    5. Save the changes. Click File -> Save All.

  2. Close the GuiDBedit Tool.


Follow these steps:

  1. From SmartConsole, install the security policy on the Security Gateway.

  2. In the Security Gateway object properties, under Threat Extraction tab, enable  the Web API and install the policy.

  3. Connect to command line on the Security Gateway and log in to the Expert mode..

  4. In the vi editor, edit the file /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini
    Change the value of the logs_api_enabled to TRUE

    Note: This step allows the extension to issue logs for Zero Phishing. When using Threat Extraction it allows the user to access the original file.

  5. Run these commands:

    1. [Expert@HostName:0]# pkill scrubd

    2. [Expert@HostName:0]# /opt/CPUserCheckPortal/scripts/configure_scrub_web_service.sh enable

      Note: If the API key is not configured, this script generates a random API key. See api_key in the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file.
      Change the API key in this file if needed.
      Changes in TPAPI.ini are applied immediately.

    3. [Expert@HostName:0]# mpclient restart UserCheck


  6. Check the configuration:
    1. Copy and remove the api_key from the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file

    2. Check that the Security Gateway responds when trying to connect to portal via the URL:
      https://<IP_Address_of_Security_Gateway>/UserCheck/TPAPI

      Expected response (refer to Check Point Threat Prevention API Reference Guide):
      "{"response":[{"protocol_version":"1.1","src_ip":""}]}".

      Note: The UserCheck portal should be accessible on the relevant interface. This can be configured in the Security Gateway object in UserCheck -> Accessibility.
      This connectivity test only works if no API Key is configured. After an API key is configured the above URL returns "404 Page not found".

      If you are getting "Insecure reponse" or have certificate errors, it might be due to one of the following:
      - The certificate was issued to a different FQDN/IP than the one configured in the SandBlast Agent for Browsers policy
      - The certificate hash algorithm is SHA1 which is not accepted by modern browsers
      - The certificate is not trusted by the client and should be installed on the client 
      - Note that the Firefox browser has its own certificate store so importing the certificate to the Windows store is usually not enough

    3. Return the api_key to the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file.

  7. Send the api_key (from Step 6-A) to all the SmartEndpoint servers:
    Note: If you have an R80.40 server and Endpoint client E82.00 or later versions, skip to step number 8 and configure the api key in the step "Installation of SandBlast Threat Emulation appliance certificate on Endpoint clients".
    1. In GuiDBedit Tool, go to ep_orgp_te_policy_tbl.

    2. In each linef with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value:
      api_key=<the api key from the GW (from Step 6-A)>

    3. Save the changes.

    4. Open SmartEndpoint.

    5. Make some small change in a SandBlast Agent Threat Emulation rule, which will cause it to load changes from the management database.

    6. Install the policy in SmartEndpoint.

      Note: When using R80.10 Threat Emulation appliance, follow these steps:

        1. Go to the following path in GuiDBEdit:
          Table -> Other -> ep_orgp_te_policy_table -> TE Browser Extension.

        2. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value:
          api_key=<the api key from the Security Gateway>


        3. Save the changes.

        4. Open SmartEndpoint.

        5. Make a small change in a SandBlast Agent Threat Emulation rule, which will cause it to load changes from GuiDBedit.

        6. Install policy in SmartEndpoint.

  8. To enable Threat Emulation logs, run the following command on the Security Gateway:

    [Expert@HostName:0]# tecli advanced remote emulator logs enable

    Note: Threat Emulation Engine Update 6 or above is required. Refer to sk95235.

 

Ensuring the Security Gateway Portal Certificate is Valid

The Check Point browser extension for Harmony Browse and Harmony Endpoint needs the Security gateway certificate to be valid in order to successfully connect.

Criteria:

  1. The certificate must be valid. The URL of the Security Gateway must match the certificate DN
  2. The browsers must trust the CA of the Certificate.

It is recommended to:

  1. Change the UserCheck portal URL to a FQDN (for example: gateway.example.com)
  2. Import a certificate from valid CA. Either buy a certificate from a trusted CA or generate one from internal trusted CA. The CA must match the FQDN of the Security Gateway.
    Note: if the certificate is imported from the third-party CA, the IP address and FQDN must be added as certificate SAN extension in the CSR request. Otherwise the user will receive an error about the certificate.
  3. Add a DNS record for the FQDN. The DNS record must have the relevant IP address of the Security Gateway. 

For POC, the following is possible:

  1. In SmartConsole:
    1. In the Security Gateway's object, go "UserCheck" pane - change the UserCheck portal URL to an FQDN (for example: gateway.example.com) - click on OK
    2. Create an internal user with the name of defined UserCheck portal's FQDN: gateway.example.com
    3. In the user's object, go to "Certificates" pane - generate a *.p12 certificate
    4. In the Security Gateway's object, go "UserCheck" pane - import the newly created user's certificate
    5. Install policy
    6. Export the internal CA certificate:
      1. Go to "Servers and OPSEC" view
      2. Expand "Servers" -> expand "Trusted CA" - double-click on "internal_CA"
      3. Go to "Local Security Management Server" tab
      4. Click on "Save As..." button
  2. On the Client machine:
    1. Install the internal CA certificate exported in the previous step
    2. Change the Hosts file, so the FQDN will match the Security Gateway's IP address

 

Installing the SandBlast Threat Emulation appliance certificate on Endpoint clients

When enabling SandBlast Agent to work with a local (private) SandBlast Threat Emulation appliance, select a valid appliance management root CA certificate in order to establish TLS trust between SandBlast Threat Emulation and SandBlast Threat Emulation appliance.

  1. Connect with SmartDashboard to the Security Management server that manages your SandBlast Threat Emulation appliance.

  2. In the lower left corner, open Servers and OPSEC tab

  3. Go to Servers -> Trusted CAs folder

  4. Locate the internal_ca element

  5. Right-click the internal_ca element and click Edit:



  6. In the window that opens, go to the Local Security Management Server tab.

  7. Click Save As



  8. Save the internal_ca.crt file for future use.

  9. Open SmartEndpoint and go to the Policy tab.

  10. Locate the SandBlast Agent Threat Extraction and Emulation list entry and expand it.

  11. Change Use SandBlast Cloud to Use SandBlast Appliance:



  12. In the same menu, select Edit Shared Actions.

  13. In the dialog window that opens, click the Configure Appliances link.

  14. In the open window, fill in the Appliance IP field. For R80.40 servers or higher, you can use an FQDN.

  15. In the open window, fill in the Api key field. This applies only when using versions higher than an R80.40 Server and Endpoint Security client E82.00.

  16. Click Manage, then click Import, and select the certificate saved in Step 8.

    The certificate appears in the list.

  17. Select the imported certificate and click Assign.

  18. Click OK in all open windows.

  19. Install the policy.

  20. Update policy on the client.

  21. Verify that files are sent to the SandBlast Threat Emulation appliance. Do this using the relevant tecli commands on the appliance


Configuring the Threat Extraction profile name and rule ID

By default, the extension will use the Recommended_Profile and rule 1 for the Threat Extraction profile on the appliance

The user can change these values if a different profile or rule is required:

  1. In the GuiDBedit tool, select Other -> ep_orgp_te_policy_tbl

  2. For each object with class name "ep_orgp_te_web_downloads_protection_action":
    Append to the field "browser_extensions_additional_data" a string that looks like this: "tex_profile_name=Recommended_profile;te_rule_id=1"
    Modify the values as you wish.

    The field contains ';' delimited keys, so don't forget to put ';' before the string if "browser_extensions_additional_data" contained other keys.

  3. Save all

  4. In SmartEndpoint do a small change in the Threat Emulation policy so tat it will read the GuiDBedit changes.

  5. Install the policy.

    Make sure the version of the policy was changed.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment