Support Center > Search Results > SecureKnowledge Details
SandBlast Agent for Browsers - working with Security Gateway or SandBlast Threat Emulation appliance
Solution

Table of Contents

  • Abstract
  • Configuring Threat Emulation and Threat Extraction
  • Enabling the Threat Prevention API
  • Portal Certificate
  • Installation of SandBlast Threat Emulation appliance certificate on Endpoint clients
  • Configuring the Threat Extraction profile name and rule ID

 

Abstract

This article describes the required steps on a Security Gateway or SandBlast Threat Emulation appliance to work with SandBlast Agent for Browsers.

Action plan (detailed steps are provided below):

  1. Install R77.30 / R80.x Security Gateway.
  2. On R77.30 Security Management: Install R77.30 Add-on.
  3. On R77.30 Security Gateway: Install the R77.30 Jumbo Hotfix.
  4. On R80.10 Security Gateway: Install the R80.10 Jumbo Hotfix.
  5. Enable the Threat Prevention API on the Security Gateway.

Note: A Security Gateway (including the hotfix and configuration below) is needed for Threat Emulation and Threat Extraction. Zero Phishing needs the Security Gateway only to report logs, it is not needed for enforcement.

 

Configuring Threat Emulation and Threat Extraction

  1. The Security Gateway machine should have 2 network interfaces.

  2. Install R77.30 / R80.x (Security Gateway and Security Management Server, or a StandAlone machine).

  3. For R77.30 Security Gateway:

    1. Install the R77.30 Add-on on the Security Management Server machine.

    2. Install the R77.30 Jumbo Hotfix on the Security Gateway.

  4. For R80.10 Security Gateway, install the R80.10 Jumbo Hotfix on the Security Gateway.

  5. In the SmartDashboard/SmartConsole:

    1. Firewall tab: configure Firewall rulebase.

    2. Security Gateway object: define topology.

    3. Install security / access policy.

    4. In the Security Gateway object properties:

      1. Enable the Threat Extraction blade (when the wizard opens, select "Skip this configuration now" -> click Next -> click Finish).

      2. Enable the Threat Emulation blade.


    5. UserCheck tab:

      1. Configure the portal to work over HTTPS:
        UserCheck settings -> Main URL -> make sure it starts with "https://" and ends with "/UserCheck"
      2. Note: Do not enter this url in the Sandblast Browser 'Connected Servers' configuration page, just enter the gateway's dns address or it's IP address.
      3. Change the main URL from IP-based to FQDN e.g. "https://CheckPoint.com/UserCheck".
      4. Install valid certificate for UserCheck portal by clicking on "Import..." under "Certificate" (see more details in the "Portal Certificate" section below)

      5. If the SandBlast Agent for Browsers connects to the Security Gateway on its external interface, then also configure:
        UserCheck settings -> Accessibility -> Accessible from all interfaces

        Important Note: by setting UserCheck accessible to all interfaces, the Security Gateway can receive requests from the internet. Verify the API key is configured (see "Enabling the Threat Prevention API" section below).


    6. Install security / access policy.

  6. Enabled TP rule at position 1 that has a TP Profile called "Recommended_Profile" on the relevant appliance/gateway (the profile name is case sensitive).

    Within this profile TX must be enabled. Per default the plugin is looking for an active rule 1 with a profile called "Recommended_Profile". If this does not exist the TX request will fail.

    The rule number and profile name used can be changed by tex_profile_name and te_rule_id registry keys.
    For procedure, refer to:
    • sk108695 - for StandAlone extension managed by GPO
    • sk121392 - for SandBlast extensions managed by Endpoint Management server.

Note: The SandBlast Agent for Browsers is supported only when the Security Gateway is configured to perform Threat Emulation locally, or on Check Point ThreatCloud.

Connecting SandBlast Agent for Browsers directly to Threat Emulation appliance is supported (the above actions for Security Gateway should be performed on the Threat Emulation appliance instead).

 

Enabling the Threat Prevention API

  1. Use the GuiDBedit Tool:

    1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    2. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

    3. Press CTRL+F - search for all the enable_scrub_web_service fields and set their values to true. Make sure you changed all of them.

    4. Save the changes: go to File menu - click on Save All.

  2. Close the GuiDBedit Tool.

Follow these steps:

  • For R80.x Security Gateway

    1. From the SmartConsole, install the security policy on the Security Gateway.

    2. In the Security Gateway object properties, under "Threat Extraction" tab, enable Web API and install policy.

    3. Connect to command line on the Security Gateway and log in to the Expert mode..

    4. Edit the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file in vi editor - change the value of the logs_api_enabled to "TRUE"

      Note: This step allows the extension to issue logs for Zero Phishing and user accessing original file (when using Threat Extraction).

    5. Run these commands:

      1. [Expert@HostName:0]# pkill scrubd

      2. [Expert@HostName:0]# /opt/CPUserCheckPortal/scripts/configure_scrub_web_service.sh enable

        Note: If API key is not configured, this script will generate a random API key. See api_key in /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file.
        Change the API key in this file if needed.
        Changes in TPAPI.ini are applied immediately.

      3. [Expert@HostName:0]# mpclient restart UserCheck


    6. Check the configuration:
      1. Copy and remove the api_key from the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file

      2. Check that the Security Gateway responds when trying to connect to portal via:
        https://<IP_Address_of_Security_Gateway>/UserCheck/TPAPI

        Expected response (refer to Check Point Threat Prevention API Reference Guide):
        "{"response":[{"protocol_version":"1.1","src_ip":""}]}".

        Note: The UserCheck portal should be accessible on the relevant interface. This can be configured in the Security Gateway object -> UserCheck -> Accessibility.
        This connectivity test will only work as long as no API Key is configured. As soon as an API key is configured the URL above will return "404 Page not found".

        If you are getting "Insecure reponse" or have certificate errors, it might be due to one of the following:
        - The certificate was issued to a different FQDN/IP than the one configured in SBA4B policy
        - The certificate hash algorithm is SHA1 which is not accepted by modern browsers
        - The certificate is not trusted by the client and should be installed there
        - Note that Firefox has its own certificate store so importing the certificate to the Windows store is usualy not enough

      3. Return the api_key to the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file.

    7. Send the api_key (from Step 6-A) to all the SmartEndpoint serves:

      1. In GuiDBedit Tool, go to ep_orgp_te_policy_tbl.

      2. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value:
        api_key=<the api key from the GW (from Step 6-A)>

      3. Save the changes.

      4. Open SmartEndpoint.

      5. Make some small change in a SandBlast Agent Threat Emulation rule, which will cause it to load changes from the management database.

      6. Install policy in SmartEndpoint.

        Note: When using R80.10 TE appliance, follow these steps:

        1. On the following path in GuiDBEdit: Table -> Other -> ep_orgp_te_policy_table -> TE Browser Extension.

        2. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value:
          api_key=<the api key from the Security Gateway>



        3. Save the changes.

        4. Open SmartEndpoint.

        5. Make a small change in a SandBlast Agent Threat Emulation rule, which will cause it to load changes from GuiDBedit.

        6. Install policy in SmartEndpoint.


    8. To enable Threat Emulation logs, run the following command on the Security Gateway:

      [Expert@HostName:0]# tecli advanced remote emulator logs enable

      Note: Threat Emulation Engine Update 6 or above is required. Refer to sk95235.

    Note: On R80.10 running on VM, use the same instructions.


  • For R77.30 Security Gateway

    1. From the SmartDashboard, install the security policy on the Security Gateway.

    2. Connect to command line on the Security Gateway and log in to the Expert mode.

    3. Edit the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file in Vi editor change the value of logs_api_enabled to "TRUE"

      Note: This step allows the extension to issue logs for Zero Phishing and user accessing original file (when using Threat Extraction), and requires R77.30 Jumbo Hotfix Take 128 or above installed.

    4. Run these commands:

      1. [Expert@HostName:0]# pkill scrubd

      2. [Expert@HostName:0]# /opt/CPUserCheckPortal/scripts/configure_scrub_web_service.sh enable

      3. [Expert@HostName:0]# mpclient restart UserCheck

      4. Check that the gateway responds when trying to connect to portal via:
        https://<IP_Address_of_Security_Gateway>/UserCheck/TPAPI

        Expected response (refer to Check Point Threat Prevention API Reference Guide):
        "{"response":[{"protocol_version":"1.1","src_ip":""}]}".

        Note, the UserCheck portal should be accessible on the relevant interface. This can be configured in Security Gateway object -> UserCheck -> Accessibility. This connectivity test will only work as long as no API Key is configured. As soon as an API key is configured the URL above will return "404 Page not found".

        If you are getting "Insecure reponse" or have certificate errors, it might be due to one fof the following:
         - The certificate was issued to a different FQDN/IP than the one configured in SBA4B policy
         - The certificate hash algorithm is SHA1 which is not accepted by modern browsers
         - The certificate is not trusted by the client and should be installed there
          - Note that Firefox has its own certificate store so importing the certificate to the Windows store is usualy not enough


    5. Edit the /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini file in Vi editor.
      Set api_key with the desired API Key (changes in TPAPI.ini file are affected immediately)

    6. To enable Threat Emulation logs, run the following command on the Security Gateway:

      [Expert@HostName:0]# tecli advanced remote emulator logs enable

      Note: Threat Emulation Engine Update 6 or above is required. Refer to sk95235.

 

Portal Certificate

SandBlast Agent for Browsers need the Security gateway certificate to be valid in order to successfully connect.

Criteria:

  1. Certificate must be valid - Security Gateway's URL needs to match the certificate DN
  2. The browsers must trust the Certificate's CA.

It is recommended to:

  1. Change the UserCheck portal URL to a FQDN (for example: gateway.example.com)
  2. Import a certificate from valid CA (either buy one from a trusted CA or generate one from internal trusted CA), which matches the Security Gateway's FQDN
    Note: if the certificate is imported from the 3rd-party CA, the IP address and FQDN must be added as certificate SAN extension in the CSR request. Otherwise user will receive an error about the certificate.
  3. Add DNS record for the FQDN with the Security Gateway's relevant IP address

For POC, it is possible to:

  1. In the SmartDashboard:
    1. In the Security Gateway's object, go "UserCheck" pane - change the UserCheck portal URL to an FQDN (for example: gateway.example.com) - click on OK
    2. Create an internal user with the name of defined UserCheck portal's FQDN: gateway.example.com
    3. In the user's object, go to "Certificates" pane - generate a *.p12 certificate
    4. In the Security Gateway's object, go "UserCheck" pane - import the newly created user's certificate
    5. Install policy
    6. Export the internal CA certificate:
      1. Go to "Servers and OPSEC" view
      2. Expand "Servers" -> expand "Trusted CA" - double-click on "internal_CA"
      3. Go to "Local Security Management Server" tab
      4. Click on "Save As..." button
  2. On the Client machine:
    1. Install the internal CA certificate exported in the previous step
    2. Change the Hosts file, so the FQDN will match the Security Gateway's IP address

 

Installation of SandBlast Threat Emulation appliance certificate on Endpoint clients

When enabling SandBlast Agent to work with local (private) SandBlast Threat Emulation appliance, valid appliance management root CA certificate should be selected in order to establish TLS trust between SandBlast Threat Emulation and SandBlast Threat Emulation appliance.

  1. Connect with SmartDashboard to the Security Management server that manages your SandBlast Threat Emulation appliance.

  2. In the lower left corner, open Servers and OPSEC tab

  3. Go to Servers -> Trusted CAs folder

  4. Locate the internal_ca element

  5. Right-click the internal_ca element and click 'Edit...':



  6. In the opened dialog go to the Local Security Management Server tab.

  7. Click the Save As... button:



  8. Save the internal_ca.crt file for future use.

  9. Open SmartEndpoint and go to the Policy tab.

  10. Locate the SandBlast Agent Threat Extraction and Emulation list entry and expand it.

  11. Change 'Use SandBlast Cloud...' drop-down list menu to 'Use SandBlast Appliance...':



  12. In the same dropdown menu, select the 'Edit Shared Actions'.

  13. In the opened dialog window, click the 'Configure Appliances' link.

  14. In the opened dialog, fill the 'Appliance IP' field.

  15. Click 'Manage' button, then click 'Import...' button and select the certificate saved in Step 8.

  16. After importing the certificate, it should appear in the list.

  17. Select the imported certificate and click 'Assign'.

  18. Click OK in all opened dialog windows.

  19. Install policy.

  20. Update policy on the client.

  21. Verify that files are sent to the SandBlast Threat Emulation appliance using the relevant tecli commands on the appliance


Configuring the Threat Extraction profile name and rule ID

By default, the extension wil use "Recommended_Profile" and "rule 1" for the Threat Extraction profile on the appliance

The use can control this values if he would like a different profile\rule to be used:

  1. In GuiDBedit tool -> Other -> ep_orgp_te_policy_tbl

  2. For each object with class name == "ep_orgp_te_web_downloads_protection_action":
    Append to the field "browser_extensions_additional_data" a string that looks like this: "tex_profile_name=Recommended_profile;te_rule_id=1" (modify the values as you wish).

    The field contains ';' delimited keys, so don't forget to put ';' before the string if "browser_extensions_additional_data" contained other keys.

  3. Save all

  4. In SmartEndpoint do a small change in the TE policy (in order it will read the GuiDBedit changes) and install policy.
    Make sure the version of the policy was changed.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment