To use SandBlast Agent in Private ThreatCloud (PTC) environment, you must have the following configured:
- Redirection of Check Point servers URLs: The URLs of the Check Point servers need to be redirected to the PTC IP.
- Private ThreatCloud certificate installed on Endpoints: In order for the Endpoint to communicate via SSL with the PTC, a PTC certificate must be installed on the Endpoint.
- Registry Key in Endpoint: A registry key needs to be updated in order for SandBlast Agent blades to know they are working in PTC Environment.
NOTE: following E82.40, after configuring the registry key, a reboot of the machine is required.
You can use the PTCConfigurator tool to do the above configurations (see below).
The PTCConfigurator tool can be found here.
Redirection of Check Point Servers' URLs
You will need to redirect the following Check Point servers to the PTC IP:
You can do the redirection in Clients DNS server, Proxy server or Host file on Endpoint machine.
Host file redirection can be done using the PTCConfigurator tool (see below).
Private ThreatCloud certificate installed on Endpoints
Retrieve the certificate for the PTC Appliance.
1. Browse to the PTC IP in a browser: https://<ptc ip>. You will get a warning that your connection is not secure.
a. If you are browsing in Chrome, click on Not secure -> Certificate.
b. If you are using Internet Explorer, click on More information -> "Go on to the webpage" click Certificate error - > View certificates.
2. Click on Certificate Path and then click on the root certificate -> View certificate -> Details -> copy to file... -> Next - > choose Base-64 encoded x.509(.CER) -> next -> Choose where to save this certificate -> Next- > Finish.
3. Install the Certificate on Endpoint clients in the Root Certificate Authorities.
Registry Key in Endpoint
You must add the following Registry key in order to let the SandBlast Agent blades know that they are in a PTC environment:
PTCConfigurator Tool (will be uploaded to this sk)
You can use this tool to configure an Endpoint with all the required configurations for working in PTC environment.
The tool needs to be run as administrator.
This tool can be deployed by the Compliance blade (see below).
The following commands are supported:
Configuring Host file:
'-i <PTC IP>'
Installing Certificate file:
'-p <location of certificate file>'
cmd>PTCConfigurator.exe -i 22.214.171.124 -p \\SharedFoler\PTC\Certificate.cert
Removing configurations (from host file, certificate, and registry key):
Deploying the Tool with the Compliance Blade
In SmartEndpoint->Compliance->Required-Computer in a domain and running secure screen saver-> Edit Shared action.
Next, configure the new remediation properties (add message according to your language):
Next configure the rule "Check Properties" (Registry path see above "Registry Key in Endpoint" section)
Configure Remediation method:
Note: The download path needs to be in C:\ProgramData\CheckPoint\TPCommon.
Adding IOCs in PTC
Instructions for adding IOCs in a PTC environment can be seen in sk125693.
In the Forensics reports some of the reputation fields will be missing when running in PTC Environment.
In the below pictures the marked fields will be missing in the PTC environment for File and URL reputation.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.