ForeScout NAC Integration with Check Point EDR (Endpoint)

Checkmates Post Link :
https://community.checkpoint.com/t5/Logging-and-Reporting/Forescout-NAC-Integration-with-checkpoint-EDR-Endpoint/m-p/71632#M4235

Our requirement is to see the information on ForeScout of all the Endpoint Client which installed in our Infra.

Information needs to visible on ForeScout such as:-

1. Endpoint Client Version

2. Checkpoint Endpoint Services

3. Encryption Status of all connected clients

4. Antimalware Updates

As of now we able to achieve point first, Second and third.

We try to add the Checkpoint EDR on ForeScout antivirus policy but unable to see the Checkpoint vendor name but we able to see the checkpoint vendor on the encryption section on ForeScout policy and after added the checkpoint on encryption policy (ForeScout) then we able to see the encryption status. (Above Screenshot 02).

But as I check with ForeScout team and find that a custom policy needs to be created on ForeScout for Antimalware visibility in order to posture the Checkpoint Antimalware updates but ForeScout required a DAT file from Checkpoint Endpoint Agent.

But I unable to find which DAT file required also that file must be stored the Anti-Malware Signature version information (in Checkpoint Endpoint).

Basically, other third-party vendors have contained DAT file in each of the machines and that DAT file will usually update once a new signature fetched by the client from Server.

Kindly help whether it’s possible to see on ForeScout that, whether the Checkpoint Antimalware Signature is up-to-date or not Because the NAC agent have that functionality to move the machine to an isolated network if the Endpoint machine antimalware or antivirus signature is not up to date and this functionality is very important for most of the organization.

Solution:

Find the below details that we are able to see on the ForeScout NAC dashboard.

1. Endpoint Client Version

2. Checkpoint Endpoint Services

3. Encryption Status of all connected clients

4. Antimalware Updates (SOLVED)

By Default Forescout only provide Endpoint Client version, Services, and Encryption status.

If you also want to see the real-time visibility for Antimalware on ForeScout then you need to create a custom policy configuration in Forescout.

If you open the ForeScout antimalware policy then you unable to find the Checkpoint vendor but you able to see more then 30 AV vendor lists but the best part about the ForeScout is if the vendor is not on the list then also you achieve your requirement by creating a custom policy for antimalware.

One solution we can do it if we have a DAT file because inside the DAT file we able to see the AV signature version so basically that DAT file will frequently update base on the configuration so by using that “AV signature version string” inside the DAT file we able to create a custom configuration in ForeScout BUT we unable to find DAT file in Checkpoint EDR installed directory.

The second solution is that we create a custom policy for checkpoint antimalware. Basically, if we open the sandblast Agent then we able to see the status on Antimalware by two string first is “not up to date” and the second is “Last update was …” so we create a custom configuration in ForeScout by using this two string by creating a condition AND now this one working for us

Below images for the reference.