icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CheckPoint Firewall Block
SHA256 checksum (checkpoint-firewall-block_201.tgz) d1f81eb594a93c7e445fe110f9739d39b2e088ee10e42f3f487624f5a328a5fc SHA256 checksum (checkpoint-firewall-block_102.tgz) 68957edf97e67d2b22315b4df89310e0e1a4fd80ce0a914e6f8f9b68c570bb63
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


CheckPoint Firewall Block

This app is NOT supported by Splunk. Please read about what that means for you here.
The CheckPoint Firewall Block Addon allows users to block IPs on their CheckPoint firewalls as an alert action.

CheckPoint Block Alert Action For Splunk

November 2021

Table of Contents


  • About CheckPoint Block Alert Action For Splunk
  • Release notes
  • Prerequisites and requirements
  • Support and resources


  • Hardware and OS requirements
  • Installation steps
  • Deployment


  • Workflow Action
    • Known Issue


About CheckPoint Block Alert Action For Splunk

Author Hurricane Labs
App Version 2.0.1
Vendor Products CheckPoint
Has index-time operations false
Create an index false
Implements summarization false

The CheckPoint Block Alert Action for Splunk allows organizations to easily block suspicious IPs on their CheckPoint systems. The app includes an adaptive response action and a workflow action.

Release notes

Version 2.0.1 is the fifth release. It contains a bug fix to the alert action. This update is only compatible with Splunk 8+/Python 3. Version 1.0.2 contains an update to the README file. Version 1.0.1 contains minor edits to version 1.0.0. SSL verification of the API call to the management server is disabled because most servers either have self signed or non-existant certificates. You will also need to have a configured CheckPoint firewall for this app to function (it's in the name, so you're probably aware of this already).

About this release

Version 2.0.1 of the CheckPoint Block Alert Action For Splunk is compatible with:

Splunk Enterprise versions 8.0, 8.1, 8.2
Platforms Platform independent
Vendor Products CheckPoint Management API, CheckPoint R80, R80.10, R81.x
Lookup file changes None
Prerequisites and Requirements

This app requires that the CheckPoint management server controlling gateways be running a version which supports the R80.x and R81.x web API. Standalone gateways are supported in addition to management servers handling multiple gateways. Gateways do not necessarily need to be running a version running the API if they are centrally managed by a management server which supports the API. By default, the app will issue a block command to all managed gateways.

The CheckPoint API must be configured to allow remote connections in order for this to operate; the management API doesn’t allow remote access by default. To enable API access, open SmartConsole and navigate to Manage and Settings -> Blades -> Management API -> Advanced Settings. If this setting is changed, you will need to restart the API by SSHing into the management server and running the api restart command.



Support for this app is provided by Hurricane Labs. Please send questions to splunk-app@hurricanelabs.com
For a more detailed walkthrough of the app's setup and features, please see the Hurricane Labs website
Note that we will make our best effort to assist you, but as this app relies on an external product we cannot guarantee we will be able to fix problems that may occur.

  • Hours: 9AM-5PM EDT Monday-Friday
  • Observed Holidays: Major US Holidays


Hardware and software requirements

Hardware requirements

Check Point Block Alert Action For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:

  • Linux (Tested on Ubuntu 16.04)

Splunk Enterprise system requirements

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Installation steps


Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the appropriate information and then click Save.


Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the appropriate information and then click Save.

Adaptive Response

This app contains compatibility with the Enterprise Security feature Adaptive Response. Responders can block IP addresses of suspicious traffic on the Check Point management servers configured during setup.

User Guide

Workflow Action

  • The workflow action will show up as "(Non-IR) Issue a block command of IP: (selected IP here) to configured Check Point system"
  • The included workflow action allows you to block specific IPs returned when you run a search.
  • These are global and are therefore available across all apps.
  • The following workflows are available. Wildcards are used to match any field containing a specific term such as domain:
  • execute_check_point_block
  • The user should check their management server to view blocks executed with the workflow action

Known Issue

  • The workflow action cannot be used in ES Incident Review. The (Non-IR) appearing before the action is meant to bring this greater visibility.
  • Unfortunately, there is no way to disable the action from appearing in Incident Review.

Release Notes

Version 2.0.1
Nov. 30, 2021

Change to restmap.conf file to allow Cloud compatibility.

Version 1.0.2
July 30, 2018

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.