icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Check Point Firewall Block
SHA256 checksum (check-point-firewall-block_110.tgz) 4e2a1c036a7689738c1054c1e94a35c1e0e979606eca6a2314b0c3a0e5044861 SHA256 checksum (check-point-firewall-block_102.tgz) 68957edf97e67d2b22315b4df89310e0e1a4fd80ce0a914e6f8f9b68c570bb63 SHA256 checksum (check-point-firewall-block_101.tgz) 4014ace1e916d68059a95aa38fc445d23268be366751f333eca79fb02fd3dd65 SHA256 checksum (check-point-firewall-block_100.tgz) c59d4770147bc8455d3df622182e9b6b6f427e4dcc1dc35bdcd777379620711c
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Check Point Firewall Block

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
The Check Point Firewall Block Addon allows users to block IPs on their Check Point firewalls as an alert action.

Check Point Block Alert Action For Splunk

June 2020

Table of Contents


  • About Check Point Block Alert Action For Splunk
  • Release notes
  • Prerequisites and requirements
  • Support and resources


  • Hardware and OS requirements
  • Installation steps
  • Deployment


  • Workflow Action
    • Known Issue


About Check Point Block Alert Action For Splunk

Author Hurricane Labs
App Version 1.1.0
Vendor Products Check Point
Has index-time operations false
Create an index false
Implements summarization false

The Check Point Block Alert Action for Splunk allows organizations to easily block suspicious IPs on their Check Point systems. The app includes an adaptive response action and a workflow action.

Release notes


Version 1.1.0 is the fourth release. It contains minor changes to make the app Python 3 compatible. It also contains a backend update to how the setup page works. Version 1.0.2 contains an update to the README file. Version 1.0.1 contains minor edits to version 1.0.0. SSL verification of the API call to the management server is disabled because most servers either have self signed or non-existant certificates. You will also need to have a configured Check Point firewall for this app to function (it's in the name, so you're probably aware of this already).

About this release

Version 1.1.0 of the Check Point Block Alert Action For Splunk is compatible with:

Splunk Enterprise versions 8.0
Platforms Platform independent
Vendor Products Check Point Management API, Check Point R80, R80.10
Lookup file changes None
Prerequisites and Requirements

This app requires that the Check Point management server controlling gateways be running a version which supports the R80.x web API. At the time of this writing, this includes version R80.10 and R80. Standalone gateways are supported in addition to management servers handling multiple gateways. Gateways do not necessarily need to be running a version running the API if they are centrally managed by a management server which supports the API. By default, the app will issue a block command to all managed gateways.

The Check Point API must be configured to allow remote connections in order for this to operate; the management API doesn’t allow remote access by default. To enable API access, open SmartConsole and navigate to Manage and Settings -> Blades -> Management API -> Advanced Settings. If this setting is changed, you will need to restart the API by SSHing into the management server and running the api restart command.



Support for this app is provided by Hurricane Labs. Please send questions to splunk-app@hurricanelabs.com
For a more detailed walkthrough of the app's setup and features, please see the Hurricane Labs website
Note that we will make our best effort to assist you, but as this app relies on an external product we cannot guarantee we will be able to fix problems that may occur.

  • Hours: 9AM-5PM EDT Monday-Friday
  • Observed Holidays: Major US Holidays


Hardware and software requirements

Hardware requirements

Check Point Block Alert Action For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:

  • Linux (Tested on Ubuntu 16.04, 20.04)

Splunk Enterprise system requirements

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Installation steps


Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the appropriate information and then click Save.


Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the appropriate information and then click Save.

Adaptive Response

This app contains compatibility with the Enterprise Security feature Adaptive Response. Responders can block IP addresses of suspicious traffic on the Check Point management servers configured during setup.

User Guide

Workflow Action

  • The workflow action will show up as "(Non-IR) Issue a block command of IP: (selected IP here) to configured Check Point system"
  • The included workflow action allows you to block specific IPs returned when you run a search.
  • These are global and are therefore available across all apps.
  • The following workflows are available. Wildcards are used to match any field containing a specific term such as domain:
  • execute_check_point_block
  • The user should check their management server to view blocks executed with the workflow action

Known Issue

  • The workflow action cannot be used in ES Incident Review. The (Non-IR) appearing before the action is meant to bring this greater visibility.
  • Unfortunately, there is no way to disable the action from appearing in Incident Review.
  • Version 1.1.0's setup page will not work with pre-8 Splunk installs. This is due to a change Splunk has made to authentication that requires the app to use a new method for inputting credentials.

Release Notes

Version 1.1.0
June 16, 2020

Release 1.1.0 provides Python 3 compatibility and modifies the setup page to no longer use the deprecated setup.xml method.

Please continue to use 1.0.2 if you have a pre-8.x Splunk environment. The new setup page does not work with older versions of Splunk.

Version 1.0.2
July 30, 2018

Version 1.0.1
July 10, 2018

Minor edits to logo and Readme

Version 1.0.0
July 3, 2018


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.