Integrating AIFF with NVIDIA DOCA Argus

This section assumes that you are familiar with these products and how to configure them:

This section describes only the specific steps to integrate these components.

Prerequisite

The AIFF Container must connect to the Internet to communicate with Check Point ThreatCloud.

Configuration Steps

  1. Connect with SmartConsole to the applicable Domain.

  2. From the left navigation panel, click Gateways & Servers.

  3. Double-click the AIFF Security Gateway object.

  4. In the left panel, click the General Properties page.

  5. On the Threat Prevention tab, select Anti-Virus.

  6. In the Anti-Bot and Anti-Virus First Time Activation window:

    1. Select According to the Threat Prevention Policy.

    2. Click OK.

  7. In the left panel, on the Anti-Bot and Anti-Virus page, leave the default settings.

  8. Click OK to close the AIFF Security Gateway object.

  1. From the left navigation panel, click Security Policies.

  2. In the top panel, click Threat Prevention > Custom Policy.

  3. In the Action column, you can select a different Threat Prevention Profile.

  4. Install the Threat Prevention Policy on the AIFF Security Gateway.

On the AIFF Container, it is necessary to configure the DOCA Argus log settings.

  1. From the DOCA Argus Container's YAML configuration file (as defined in "SERVICE_CONFIG_FILE"), copy these settings:

    1. In the section "volumes:", copy the settings for "name: logs-doca-app-shield-activity-report".

      Example:

      volumes:
- name: firewall-data
  hostPath:
    path: /opt/CheckPoint/AICloudProtect/data
    type: DirectoryOrCreate
- name: firewall-stat
  hostPath:
    path: /opt/CheckPoint/AICloudProtect/stat
    type: DirectoryOrCreate
- name: dev-vfio
  hostPath:
    path: /dev/vfio
    type: DirectoryOrCreate
- name: logs-doca-app-shield-activity-report
  hostPath:
    path: /var/log/doca_app_shield_activity_report
    type: DirectoryOrCreate

    2. In the section "volumeMounts:", copy the settings for "name: logs-doca-app-shield-activity-report".

      Example:

      volumeMounts:
- name: firewall-data
  mountPath: /data
- name: firewall-stat
  mountPath: /stat
- name: dev-vfio
  mountPath: /dev/vfio
  readOnly: true
- name: logs-doca-app-shield-activity-report
  mountPath: /var/log/doca_app_shield_activity_report

  2. On the AIFF Container, in the configuration file "AIFF.yaml":

    1. In the section "volumes:", configure the same settings for "name: /var/log/doca_argus_activity_report" as configured on the DOCA Argus Container.

    2. In the section "volumeMounts:", configure the same settings for "name: /var/log/doca_argus_activity_report" as configured on the DOCA Argus Container.

On the DOCA Argus Container, it is necessary to configure the AIFF log settings.

  1. From the AIFF Container, from the configuration file "AIFF.yaml", copy these settings:

    1. In the section "volumes:", copy the settings for "name: logs-argus-activity-report".

      Example:

      volumes:
- name: logs-argus-service
  hostPath:
    path: /var/log/doca_argus
    type: DirectoryOrCreate
- name: logs-argus-activity-report
  hostPath:
    path: /var/log/doca_argus_activity_report
    type: DirectoryOrCreate
- name: conf-argus-config
  hostPath:
    path: /etc/doca_argus_config
    type: DirectoryOrCreate

    2. In the section "volumeMounts:", copy the settings for "name: logs-argus-activity-report".

      Example:

      volumeMounts:
  - name: logs-argus-service
    mountPath: /var/log/doca_argus
  - name: logs-argus-activity-report
    mountPath: /var/log/doca_argus_activity_report
  - name: conf-argus-config
    mountPath: /etc/doca_argus_config

  2. On the DOCA Argus Container, in the YAML configuration file (as defined in "SERVICE_CONFIG_FILE"):

    1. In the section "volumes:", configure the same settings for "name: logs-argus-activity-report" as configured on the AIFF Container).

    2. In the section "volumeMounts:", configure the same settings for "name: logs-argus-activity-report" as configured on the AIFF Container.

    3. In the section "output:", make sure the value of the parameter "log_folder_path" is not "false".

      Example:

      output:
# Log events to stdout. Normally disabled for production.
log_stdout: false
# Events will be logged to this file - 'false' to disable
log_folder_path: /var/log/doca_argus_activity_report
...

    4. In the section "collection:", make sure the values of all these parameters are "true":

      • In the section "container:":

        • container_started: true

        • container_terminated: true

      • In the section "process:":

        • process_created: true

      • In the section "network_connection:":

        • network_connection_created: true

Example Detection of a Malicious Process

  1. A new process starts on the Host Server.

  2. The DOCA Argus Container identifies that a new process started and reports it.

    {
  "vendor_name": "NVIDIA",
  "product_name": "DOCA_APPSHIELD",
  "product_version": "0.7.0",
  "message_type": "EVENT",
  "severity": "info",
  "schema_version": "1.0",
  "message_id": "803e912e2184a722dd57103c58ce9ac2f3d3b2a4",
  "occurred_message_timestamp_utc_ms": "1743940182060",
  "occurred_message_display_time_local_rfc3339": "2025-04-06T11:49:42.060+00:00",
  "occurred_message_display_time_utc_rfc3339": "2025-04-06T11:49:42.060Z",
  "bluefield_system_information": {
    "linux_version": "Linux BF3189 5.15.0-1050-bluefield #52-Ubuntu SMP Wed Jul 31 13:43:07 UTC 2024 aarch64 ",
    "ubuntu_linux_version": "22.04.5 LTS (Jammy Jellyfish)",
    "doca_version": "99.99.9999",
    "bluefield_networking_interfaces": {
      "0": {
        "bluefield_network_interface_name": "tmf1fo_net0",
        "bluefield_network_interface_mac_address": "XX:XX:XX:XX:XX:01",
        "bluefield_network_interface_ip_address": "fe80::21a:caff:feff:ff01, 192.168.100.2"
      },
      "1": {
        "bluefield_network_interface_name": "oob_bridge0",
        "bluefield_network_interface_mac_address": "XX:XX:XX:XX:XX:80",
        "bluefield_network_interface_ip_address": "fe80::9e63:c9ff:fe50:9380, 172.23.5.189"
      }
    }
  },
  "system_information": {
    "system_name": "baremetal"
  },
  "event_data": {
    "type": "process_created",
    "details": {
      "ns_net": "4026531840",
      "state": "RUNNING",
      "exit_time": "1743941490",
      "creation_time": "1741134640",
      "folder_path": "/usr/bin/containerd-shim-runc-v2",
      "ns_pid": "4026531836",
      "comm": "containerd-shim",
      "cmd_line_args": "/usr/bin/containerd-shim-runc-v2 -namespace k8s.io -id ba...15 -address /run/containerd/containerd.sock",
      "exec_id": "6",
      "file_size": "0",
      "ppid": "1",
      "ns_mnt": "4026531841",
      "cpu_cycles": "2828472434",
      "sha256": "N/A",
      "gid": "0",
      "sha1": "N/A",
      "pid": "5439",
      "uid": "0",
      "container_id": "ba...15"
    }
  }
}

  3. The Check Point AIFF Container sends the process hash to the Check Point ThreatCloud database.

  4. The process is identified as malware.

  5. The Check Point AIFF Container sends a log to the Management Server.

    Example: