WCF Agent  ·  Check Point SecureXL

Check Point Integration —
OneFirewall Threat Intelligence

Automatically push crowd-sourced Crime Score intelligence from 180+ Alliance members directly into your Check Point SecureXL gateway for hardware-accelerated blocking in under 200ms.

Request Integration Access Proof of Value
Automated Blocking Real-time Sync Crime Score Filter <200ms Latency SecureXL Accelerated R80 / R81 / R82
ONEFIREWALL API INTELLIGENCE WCF AGENT SCORE FILTER CHECK POINT SECUREXL HW ACCELERATED THREAT BLOCKED AUTO-DROP
10K+Blocked IPs / day
<200msSync latency
1-clickInstall
Real-timeFeed updates
HWSecureXL accelerated
180+Alliance members

How It Works

The WCF Agent creates a seamless bridge between OneFirewall Alliance's crowd-sourced intelligence and your Check Point gateway. Malicious IPs are blocked at the hardware layer before they can consume firewall policy resources.

Intelligence Aggregation

OneFirewall API continuously aggregates malicious IPv4 reports from 180+ Alliance members worldwide, assigning a dynamic Crime Score (0–1000) to every observed IP.

Score-Based Filtering

The WCF Agent polls the OneFirewall API on a configurable interval (default: 5 minutes). Only IPs exceeding your defined Crime Score threshold (default: 190) are selected for enforcement.

SecureXL SAM Table Injection

Qualifying IPs are pushed into the Check Point SAM (Suspicious Activity Monitor) table via the fw samp API. SecureXL accelerates the block at the kernel bypass layer.

Automated Drop

Traffic from blocked IPs is dropped at hardware speed before policy lookup. When a Crime Score decays below threshold, the WCF Agent automatically removes the block — zero manual intervention.

Technical Details

The SecureXL WCF Agent is a lightweight Python service that runs on the Check Point Security Gateway Management Server or dedicated management host.

Requirements

  • Check Point Gaia OS R80.40, R81, R81.10, R81.20, R82
  • Python 3.8+ available on the management server
  • OneFirewall API token (obtained from app.onefirewall.com)
  • Outbound HTTPS (443) from management to api.onefirewall.com
  • Check Point SmartConsole admin credentials or API key
  • SecureXL enabled on target gateway (default in R80+)

Configuration Parameters

  • OFA_API_TOKEN — your OneFirewall API bearer token
  • CRIME_SCORE_THRESHOLD — minimum score to block (default 190)
  • SYNC_INTERVAL_SEC — polling interval in seconds (default 300)
  • CP_GATEWAY_IP — target Check Point gateway IP or FQDN
  • CP_API_PORT — Check Point Web API port (default 443)
  • SAM_TIMEOUT_SEC — SAM rule expiry (default 86400, 0 = permanent)

Integration Architecture

The agent fetches the current WorldCrimeFeed (WCF) block list via the OneFirewall REST API, filters by Crime Score, then uses the Check Point Management API to inject IPs into the SAM (Suspicious Activity Monitor) table. SecureXL intercepts matching packets at the accelerated path — completely bypassing the full policy engine for maximum throughput and minimal CPU overhead.

API Endpoints Used

  • GET /api/v1/wcf/block-list — fetch current block list
  • POST /web_api/add-suspect-ip — inject into Check Point SAM
  • POST /web_api/delete-suspect-ip — remove expired entries
  • GET /api/v1/intel/{ipv4} — single-IP enrichment on demand

Installation

Deploy the WCF Agent on your Check Point management server in under 5 minutes. Full documentation at docs.onefirewall.com.

Check Point Management Server — Gaia OS bash 
# 1. Download the WCF Agent for Check Point SecureXL
wget https://packages.onefirewall.com/wcf-agent/securexl/latest/wcf-agent-securexl.tar.gz

# 2. Extract and enter the directory
tar -xzf wcf-agent-securexl.tar.gz && cd wcf-agent-securexl

# 3. Run the setup script (installs Python deps + systemd service)
sudo ./install.sh

# 4. Configure your credentials
sudo nano /etc/wcf-agent/securexl.conf

  OFA_API_TOKEN=your_api_token_here
  CRIME_SCORE_THRESHOLD=190
  SYNC_INTERVAL_SEC=300
  CP_GATEWAY_IP=192.168.1.1

# 5. Enable and start the service
sudo systemctl enable wcf-agent-securexl
sudo systemctl start wcf-agent-securexl

# 6. Verify — check live SAM table on gateway
fw samp get

Why Check Point + OneFirewall

Check Point SecureXL is a high-performance acceleration engine. OneFirewall provides the continuously refreshed threat intelligence. Together, they deliver a threat blocking system that is faster and more accurate than either alone.

Check Point standalone

  • Threat intelligence feeds require manual import or third-party subscriptions
  • No crowd-sourced cross-sector intelligence from peer organisations
  • Static blacklists become stale within hours as threat actors rotate IPs
  • Policy-based blocks consume firewall engine cycles

Check Point + OneFirewall WCF Agent

  • Crowd-sourced intelligence from 180+ members updated in real time
  • Crime Score decay model removes stale entries automatically
  • SAM table injection means blocks execute at SecureXL hardware speed
  • Configurable threshold adapts risk tolerance without policy rebuilds

Ready to Integrate Check Point SecureXL?

Connect your Check Point deployment to the OneFirewall Alliance and start blocking threats automatically. Our team will guide you through the integration.

Speak with OneFirewall Organize a Proof of Value