Check Point Firewall Block
Overview
Details
Check Point Block Alert Action For Splunk
June 2020
Table of Contents
OVERVIEW
- About Check Point Block Alert Action For Splunk
- Release notes
- Prerequisites and requirements
- Support and resources
INSTALLATION
- Hardware and OS requirements
- Installation steps
- Deployment
USER GUIDE
- Workflow Action
- Known Issue
OVERVIEW
About Check Point Block Alert Action For Splunk
| Author | Hurricane Labs |
|---|---|
| App Version | 1.1.0 |
| Vendor Products | Check Point |
| Has index-time operations | false |
| Create an index | false |
| Implements summarization | false |
The Check Point Block Alert Action for Splunk allows organizations to easily block suspicious IPs on their Check Point systems. The app includes an adaptive response action and a workflow action.
Release notes
IMPORTANT - PLEASE USE 1.0.2 OF THE APP IF YOU ARE ON Splunk 7.3.6 OR BELOW. THE NEW SETUP PAGE WILL NOT WORK IN NON-8 VERSIONS OF SPLUNK.
Version 1.1.0 is the fourth release. It contains minor changes to make the app Python 3 compatible. It also contains a backend update to how the setup page works. Version 1.0.2 contains an update to the README file. Version 1.0.1 contains minor edits to version 1.0.0. SSL verification of the API call to the management server is disabled because most servers either have self signed or non-existant certificates. You will also need to have a configured Check Point firewall for this app to function (it's in the name, so you're probably aware of this already).
About this release
Version 1.1.0 of the Check Point Block Alert Action For Splunk is compatible with:
| Splunk Enterprise versions | 8.0 |
|---|---|
| Platforms | Platform independent |
| Vendor Products | Check Point Management API, Check Point R80, R80.10 |
| Lookup file changes | None |
Prerequisites and Requirements
This app requires that the Check Point management server controlling gateways be running a version which supports the R80.x web API. At the time of this writing, this includes version R80.10 and R80. Standalone gateways are supported in addition to management servers handling multiple gateways. Gateways do not necessarily need to be running a version running the API if they are centrally managed by a management server which supports the API. By default, the app will issue a block command to all managed gateways.
The Check Point API must be configured to allow remote connections in order for this to operate; the management API doesn’t allow remote access by default. To enable API access, open SmartConsole and navigate to Manage and Settings -> Blades -> Management API -> Advanced Settings. If this setting is changed, you will need to restart the API by SSHing into the management server and running the api restart command.
Support
Support
Support for this app is provided by Hurricane Labs. Please send questions to splunk-app@hurricanelabs.com
For a more detailed walkthrough of the app's setup and features, please see the Hurricane Labs website
Note that we will make our best effort to assist you, but as this app relies on an external product we cannot guarantee we will be able to fix problems that may occur.
- Hours: 9AM-5PM EDT Monday-Friday
- Observed Holidays: Major US Holidays
INSTALLATION AND CONFIGURATION
Hardware and software requirements
Hardware requirements
Check Point Block Alert Action For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:
- Linux (Tested on Ubuntu 16.04, 20.04)
Splunk Enterprise system requirements
Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Installation steps
Single-instance
Install to search head
- Install the app.
- Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the appropriate information and then click Save.
Distributed
Install to search head
- Install the app.
- Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the appropriate information and then click Save.
Adaptive Response
This app contains compatibility with the Enterprise Security feature Adaptive Response. Responders can block IP addresses of suspicious traffic on the Check Point management servers configured during setup.
User Guide
Workflow Action
- The workflow action will show up as "(Non-IR) Issue a block command of IP: (selected IP here) to configured Check Point system"
- The included workflow action allows you to block specific IPs returned when you run a search.
- These are global and are therefore available across all apps.
- The following workflows are available. Wildcards are used to match any field containing a specific term such as domain:
- execute_check_point_block
- The user should check their management server to view blocks executed with the workflow action
Known Issue
- The workflow action cannot be used in ES Incident Review. The (Non-IR) appearing before the action is meant to bring this greater visibility.
- Unfortunately, there is no way to disable the action from appearing in Incident Review.
- Version 1.1.0's setup page will not work with pre-8 Splunk installs. This is due to a change Splunk has made to authentication that requires the app to use a new method for inputting credentials.
Release Notes
Version 1.1.0
Release 1.1.0 provides Python 3 compatibility and modifies the setup page to no longer use the deprecated setup.xml method.
--IMPORTANT--
Please continue to use 1.0.2 if you have a pre-8.x Splunk environment. The new setup page does not work with older versions of Splunk.
Version 1.0.2
Version 1.0.1
Minor edits to logo and Readme