Adding a CheckPoint Firewall Device

Prerequisites

  • General prerequisites:
    • Ensure communication between AppViewX and the firewall is enabled.
    • AppViewX needs an internet or proxy connection to communicate with the firewall via the REST API.
    • Valid firewall account details, including API tokens/keys and user credentials, are necessary.
    • The API must have elevated (admin) permissions to read and modify SSL certificates.
    • The username and password entered during the device onboarding process must be identical in both the Gaia Portal and the Smart Console user accounts. This ensures consistency, as the same credentials will be used for authentication in Gaia CLI and Management REST API sessions.
    • Admin Portal: To read/modify the certificate used for admin portal, cat/echo commands are needed. Generic linux commands can be executed only in expert mode. In order to switch to expert mode admin privileges has to be given in the Gaia portal for a user.
    • HTTPS Inspection: To read/modify inspection rules and to add server certificates, these are the permissions needed in Checkpoint Management Smart Console.
      • Access Control > General > Access Control Objects and Settings > Write.
      • Others > Permissions > HTTPS Inspection > Write.
      • Management > Publish sessions without an approval > Write.
      • Management > Management API Login > Write.
  • IP Address/FQDN: IP address or FQDN
  • User Privilege:
    • Username/Password
    • Credential List AppViewX/CyberArk
    • If authentication relies on an external credential such as AppViewX, Thycotic, BeyondTrust, Hashicorp, and CyberArk, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault.
  • Platform: Security Management Server
  • Enable Password: Required
  • License Check: Not required
  • Services
    • Admin Portal (requires SSH port)
    • HTTPS Inspection (requires https port).
  • Supported versions: vR75.x, vR77.x, vR80.x, vR81.x
  • Internet Access/Proxy: Not required
  • Location from which the certificates are discovered if Certificate Managed:
    • Certificates are fetched by issuing a direct command to the device through SSH.
    • Location in the device:
      • /web/conf/server.crt
      • /web/conf/server.key
    Note: Discovering the certificates used for inbound inspection is not feasible because Checkpoint does not provide an API to retrieve the content of the certificates. Therefore, only the formation of profiles for the server certificates' shared location and the inspection policies will be done by AppViewX.
    Note: For Visual Workflow action items, you will require credentials with write privilege.

Configuring a CheckPoint Firewall Device

To add a CheckPoint device:
  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. In the Firewall tab, click (Add) icon located upper right corner.
    The Add page appears.
  3. Select the CheckPoint vendor from the left command bar.
  4. Enter the field information in the General Information section.
    Table 1. Field and Description Table
    Field Description
    CI name Name of the CI.
    Platform Select the platform from the drop-down list. The available options are:
    • Security Management Server
    • MultiDomain Security
    *Device name Unique custom identifier of your device.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Communication The communication mode that firewall devices can be added to AppViewX. The possible communication modes are:
    • IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected.
    • FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
    *IP address/FQDN Enter the IP address or FQDN based on the selected communication mode.
    Data center The data center on which the device has been hosted. Select from an existing list or enter a new data center.
    Cert sync Provision to discover and manage the SSL certificates from the firewall devices. The possible Cert syncs are:
    • Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc.
    • Monitored - All SSL certificates will be discovered and will not have any CA-related communication.
    • Ignored - No SSL certificates will be discovered from the firewall device.
    Note: The certification sync is based on the license applied.
    *Services Select the required services. By default Admin Portal is selected. The available services are,
    • Admin Portal
    • HTTPS Inspection.
    Note:
    • If you select HTTPS Inspection, the HTTPS Port field becomes enabled, and inspection profiles appear in the application connector.
    • HTTPS supports only profile discovery, certificate push, and certificate binding.
    *SSH Port Enter the SSH port number on the field.
    *HTTPS Port Enter the SSH port number on the field.
    *: Mandatory fields
  5. Enter the field information in the Credentials section:
    Table 2. Field and Description Table
    Field Description
    *Credential type Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the dropdown list:
    • Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected.
    • AppViewX Credential List - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication.

      To create a credential list, see Creating Credential List in the Platform User Guide.
    *Username Username for the firewall device when you select the Manual Entry credential type.
    *Password Valid password for the firewall device when you select the Manual Entry credential type.
    Note: Use strong passwords for secure device communication. Your Passwords can be of any length with a combination of alpha-numerical, symbols, and special characters.
    *Expert password Enter the privilege password.
    *: Mandatory fields
  6. Enter the field information in the Secondary device information section as follows:
    • Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.
    • Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.
    • Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.
    Note:
    • By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
    • By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing and management can be seamlessly handled in AppViewX.
  7. Click the Save button to add an Firewall device.
    Note:
    • To discard the changes, click the Cancel button.
    A pop-up message is displayed as Device added successfully.

Validating the CheckPoint Device Addition

After adding the device, you can validate the device by searching device in the device inventory.
  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. Search the device name and validate whether the device is added successfully.