Check Point Firewall
Integration version: 9.0
Configure Check Point Firewall integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Server Address | String | xx.xx.xx.xx:443 | Yes | The IP address of the Check Point Firewall server. |
| Username | String | N/A | Yes | The email address of the user which should be used to connect to the Check Point Firewall. |
| Domain | String | N/A | No | The domain of the user. E.g. if the email address of the user is user@example.com, the domain will be example.com |
| Password | Password | N/A | Yes | The password of the according user. |
| Policy Name | String | standard | Yes | Name of the policy. |
| Verify SSL | Checkbox | Unchecked | No | Use this checkbox, if your Check Point Firewall connection requires an SSL verification. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Add a SAM Rule
Description
Add a SAM (suspicious activity monitoring) rule for Check Point Firewall. Please refer to the Check Point fw_sam command criteria section documentation for available IP, netmask, port, and protocol combinations.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Gateway to Create SAM Rule on | String | N/A | Yes | Specify the name of Security Gateway to create a rule for. |
| Source IP | String | N/A | No | Specify the source IP to be added to the rule. |
| Source Netmask | String | N/A | No | Specify the source netmask to be added to the rule. |
| Destination IP | String | N/A | No | Specify the destination IP to be added to the rule. |
| Destination Netmask | String | N/A | No | Specify the destination netmask to be added to the rule. |
| Port | Integer | N/A | No | Specify the port number to be added to the rule, for example, 5005. |
| Protocol | String | N/A | No | Specify the protocol name to be added to the rule, for example, TCP. |
| Expiration | Seconds | N/A | No | Specify for how long in seconds the newly added SAM rule should be active, for example, 4. If nothing is specified - then the rule never expires. |
| Action for the Matching Connections | DDL | Drop | Yes | Specify the action that should be executed for the matching connections. |
| How to Track Matching Connections | DDL | Log | Yes | Specify how to track matching connections. |
| Close Connections | Checkbox | Checked | No | Specify if the existing matching connections should be closed. |
Run On
The action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"tasks": [
{
"uid": "8163c4f0-a269-4628-9bb3-0ba597e9694c",
"name": "gaia80.10 - CW Test fw sam",
"type": "CdmTaskNotification",
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
},
"task-id": "4ca124e5-c9ce-45cf-8275-4b119e535d3e",
"task-name": "gaia80.10 - CW Test fw sam",
"status": "succeeded",
"progress-percentage": 100,
"start-time": {
"posix": 1594959450832,
"iso-8601": "2020-07-17T07:17+0300"
},
"last-update-time": {
"posix": 1594959453264,
"iso-8601": "2020-07-17T07:17+0300"
},
"suppressed": false,
"task-details": [
{
"uid": "94108666-b9d6-4165-80ab-13078c03395b",
"name": null,
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
},
"color": "black",
"statusCode": "succeeded",
"statusDescription": "sam: request for 'Inhibit Drop Close src ip 8.9.10.11 on All' acknowledged, sam: gaia80.10 (0/1) successfully completed 'Inhibit Drop Close src ip 8.9.10.11 on All' processing, ...",
"taskNotification": "8163c4f0-a269-4628-9bb3-0ba597e9694c",
"gatewayId": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
"gatewayName": "",
"transactionId": 552194328,
"responseMessage": "",
"responseError": "c2FtOiByZXF1ZXN0IGZvciAnSW5oaWJpdCBEcm9wIENsb3NlIHNyYyBpcCA4LjkuMTAuMTEgb24gQWxsJyBhY2tub3dsZWRnZWQKc2FtOiBnYWlhODAuMTAgKDAvMSkgc3VjY2Vzc2Z1bGx5IGNvbXBsZXRlZCAnSW5oaWJpdCBEcm9wIENsb3NlIHNyYyBpcCA4LjkuMTAuMTEgb24gQWxsJyBwcm9jZXNzaW5nCnNhbTogcmVxdWVzdCBmb3IgJ0luaGliaXQgRHJvcCBDbG9zZSBzcmMgaXAgOC45LjEwLjExIG9uIEFsbCcgZG9uZQo=",
"meta-info": {
"validation-state": "ok",
"last-modify-time": {
"posix": 1594959453332,
"iso-8601": "2020-07-17T07:17+0300"
},
"last-modifier": "admin",
"creation-time": {
"posix": 1594959451003,
"iso-8601": "2020-07-17T07:17+0300"
},
"creator": "admin"
},
"tags": [],
"icon": "General/globalsNa",
"comments": "",
"display-name": "",
"customFields": null
}
],
"comments": "Completed",
"color": "black",
"icon": "General/globalsNa",
"tags": [],
"meta-info": {
"lock": "unlocked",
"validation-state": "ok",
"last-modify-time": {
"posix": 1594959453299,
"iso-8601": "2020-07-17T07:17+0300"
},
"last-modifier": "admin",
"creation-time": {
"posix": 1594959450933,
"iso-8601": "2020-07-17T07:17+0300"
},
"creator": "admin"
},
"read-only": false
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:
|
General |
Remove SAM Rule
Description
Remove a SAM (suspicious activity monitoring) rule from Check Point Firewall.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Gateway | String | N/A | Yes | Specify the name of Security Gateway from where to remove SAM Rule. |
| Source IP | String | N/A | No | Specify the source IP to be added to the rule. |
| Source Netmask | String | N/A | No | Specify the source netmask to be added to the rule. |
| Destination IP | String | N/A | No | Specify the destination IP to be added to the rule. |
| Destination Netmask | String | N/A | No | Specify the destination netmask to be added to the rule. |
| Port | Integer | N/A | No | Specify the port number to be added to the rule, for example, 5005. |
| Protocol | String | N/A | No | Specify the protocol name to be added to the rule, for example, TCP. |
| Action for the Matching Connections | DDL | Drop Possible Values: Drop Reject Notify |
Yes | Specify the action that should be executed for the matching connections. |
| How to Track Matching Connections | DDL | Log Possible Values: No Log Log Alert |
Yes | Specify how to track matching connections. |
| Close Connections | Checkbox | Checked | No | Specify if the existing matching connections should be closed. |
Run On
The action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"tasks": [
{
"uid": "6966d094-c7d9-4e46-a824-d4948be71b3e",
"name": "gaia80.10 - Siemplify-generated-script",
"type": "CdmTaskNotification",
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
},
"task-id": "77318892-48aa-4a38-ad94-b9322695c2c8",
"task-name": "gaia80.10 - Siemplify-generated-script",
"status": "succeeded",
"progress-percentage": 100,
"start-time": {
"posix": 1608120786139,
"iso-8601": "2020-12-16T14:13+0200"
},
"last-update-time": {
"posix": 1608120788465,
"iso-8601": "2020-12-16T14:13+0200"
},
"suppressed": false,
"task-details": [
{
"uid": "c40132ac-547f-4fbf-b4bb-5c7efb7ed76b",
"name": null,
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
},
"color": "black",
"statusCode": "succeeded",
"statusDescription": "",
"taskNotification": "6966d094-c7d9-4e46-a824-d4948be71b3e",
"gatewayId": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
"gatewayName": "",
"transactionId": 194990168,
"responseMessage": "",
"responseError": "",
"meta-info": {
"validation-state": "ok",
"last-modify-time": {
"posix": 1608120788509,
"iso-8601": "2020-12-16T14:13+0200"
},
"last-modifier": "admin",
"creation-time": {
"posix": 1608120786199,
"iso-8601": "2020-12-16T14:13+0200"
},
"creator": "admin"
},
"tags": [],
"icon": "General/globalsNa",
"comments": "",
"display-name": "",
"customFields": null
}
],
"comments": "Completed",
"color": "black",
"icon": "General/globalsNa",
"tags": [],
"meta-info": {
"lock": "unlocked",
"validation-state": "ok",
"last-modify-time": {
"posix": 1608120788491,
"iso-8601": "2020-12-16T14:13+0200"
},
"last-modifier": "admin",
"creation-time": {
"posix": 1608120786184,
"iso-8601": "2020-12-16T14:13+0200"
},
"creator": "admin"
},
"read-only": false
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If status="succeeded" (is_success = true): "Successfully removed SAM rule from the Check Point Firewall using the command: {0}".format(command) If status code != 200,401 in the first response(is_success=false): "Action wasn't able to remove the SAM rule using the command "{0}" in Check Point FireWall. Reason: {1}".format(command,message) If in the second response statusCode == failed and base64 responseError is not available (is_success=false): "Action wasn't able to remove the SAM rule using the command "{0}" in Check Point FireWall." If in the second response statusCode == failed and base64 responseError is available (is_success=false): "Action wasn't able to remove the SAM rule using the command "{0}" in Check Point FireWall. Reason: {1}".format(command, base64 decoded responseError) If timeout(is_success=false): "Action reached timeout, while waiting to remove SAM Rule. Command used: {0}".format(command) Async message: Waiting for a task to remove the SAM rule to finish. The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Update Alert Status". Reason: {0}''.format(error.Stacktrace) |
General |
Add IP to Group
Description
Updates the Google Security Operations SOAR Blacklist group with new IP addresses.
Parameters
| Parameters | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Blacklist Group Name | String | N/A | Yes | Name of the group. |
Run On
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_blocked | True/False | is_blocked:False |
Add URL to Group
Description
Updates the group with the URL.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| URLs Group Name | String | N/A | Yes | Name of the group. |
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_blocked | True/False | is_blocked:False |
List Layers on Site
Description
Retrieve all existing layers.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
List Policies on Site
Description
Retrieve all existing policies.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Remove IP From Group
Description
Updates the Google Security Operations SOAR Blacklist group to NOT include the IP addresses.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Blacklist Group Name | String | N/A | Yes | Name of the group to remove the address range object from. |
Run On
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_unblocked | True/False | is_unblocked:False |
Remove URL From Group
Description
Updates the group to NOT include the URL.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| URLs Group Name | String | N/A | Yes | Name of the group to remove the URL object from. |
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_unblocked | True/False | is_unblocked:False |
Run Script
Description
Run the arbitrary script with Check Point run-script API call.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Script text | String | N/A | Yes | Script to execute. For example, fw sam command: fw sam -t 600 -I src 8.9.10.12 |
| Target | String | N/A | Yes | Specify Check Point device to execute the script on, for example, gaia80.10 The parameter accepts multiple values as a comma-separated list. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"tasks": [{
"task-id": "867fef24-647e-40ea-91ef-9b5f8ae83d07",
"status": "succeeded",
"domain": {
"domain-type": "domain",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User"
},
"start-time": {
"posix": 1597737649683,
"iso-8601": "2020-08-18T11:00+0300"
},
"uid": "bb5c4640-9774-45cd-8631-8e80518f4e18",
"tags": [],
"last-update-time": {
"posix": 1597737651783,
"iso-8601": "2020-08-18T11:00+0300"
},
"suppressed": false,
"progress-percentage": 100,
"comments": "Completed",
"task-name": "gaia80.10 - Siemplify-generated-script",
"color": "black",
"meta-info": {
"creation-time": {
"posix": 1597737649720,
"iso-8601": "2020-08-18T11:00+0300"
},
"validation-state": "ok",
"creator": "admin",
"lock": "unlocked",
"last-modifier": "admin",
"last-modify-time": {
"posix": 1597737651810,
"iso-8601": "2020-08-18T11:00+0300"
}},
"task-details": [{
"display-name": "",
"domain": {
"domain-type": "domain",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User"
}, "gatewayName": "",
"uid": "b4a71da3-60fc-4785-a379-3bb9f7a0ff2f",
"icon": "General/globalsNa",
"tags": [],
"color": "black",
"comments": "",
"name": null,
"responseError": "",
"taskNotification": "bb5c4640-9774-45cd-8631-8e80518f4e18",
"responseMessage": "",
"gatewayId": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
"transactionId": 931053033,
"meta-info": {
"creation-time": {
"posix": 1597737649735,
"iso-8601": "2020-08-18T11:00+0300"
},
"last-modify-time": {
"posix": 1597737651840,
"iso-8601": "2020-08-18T11:00+0300"
},
"creator": "admin",
"validation-state": "ok",
"last-modifier": "admin"
},
"customFields": null,
"statusDescription": "",
"statusCode": "succeeded"
}],
"icon": "General/globalsNa",
"type": "CdmTaskNotification",
"read-only": false,
"name": "gaia80.10 - Siemplify-generated-script"
}]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:
|
General |
Show Logs
Description
Retrieve logs from Check Point FireWall based on the filter.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query Filter | String | N/A | No | Specify the query filter that will be used to return logs. |
| Time Frame | DDL | Last Hour Possible Values: Today Yesterday Last Hour Last 24 Hours Last 30 Days This Week This Month All Time |
Yes | Specify what time frame should be used for log retrieval. |
| Log Type | DDL | Log Possible Values: Log Audit |
Yes | Specify what type of logs should be returned. |
| Max Logs To Return | Integer | 50 | No | Specify how many logs to return. Maximum is 100. This is Check Point FireWall limitation. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"logs": [
{
"subject": "Object Manipulation",
"confidence_level": "N/A",
"description": "Engine mode: changed from 'by_policy' to 'detect_only' ",
"type": "System Alert",
"orig_log_server_attr": [
{
"isCHKPObject": "true",
"uuid": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
"resolved": "gaia80.10"
}
],
"cb_log_type": "Security Alert",
"user_field": "admin",
"administrator": "admin",
"index_time": "2020-10-14T21:35:45Z",
"d_name": "Check that each Gateway's Anti-Bot configuration is activated according to the policy",
"violation_date": "3/6/2020 15:03",
"id": "ac1eca60-81b3-d219-5f87-6f2f000105e8",
"rounded_received_bytes": "0",
"cb_title": "Best Practice AB104 status decreased. New Status: Medium",
"cb_old_status": "Secure",
"lastUpdateSeqNum": "1513",
"severity": "Critical",
"product_family": "Network",
"product": "Compliance Blade",
"sequencenum": "1513",
"rounded_sent_bytes": "0",
"cb_scan_id": "Thu Oct 15 00:35:39 2020",
"orig_log_server": "172.30.202.96",
"cb_changed_objects": "ABSettings_8F36A0DE-E0D5-6347-AE51-6FB22D573F04",
"additional_info": "Security Alert: Best Practice status was reduced",
"cb_status": "Medium",
"orig": "gaia80.10",
"marker": "@A@@B@1602709200@C@1513",
"rounded_bytes": "0",
"orig_log_server_ip": "172.30.202.96",
"stored": "true",
"calc_desc": "Best Practice AB104 status decreased. New Status: Medium",
"logid": "134283267",
"time": "2020-10-14T21:35:43Z",
"cb_recommendation": "Each Gateway should be configured to work according to the profiles defined in the Anti-Bot policy. The Activation Mode should be set to 'According to Policy' and not 'Detect Only'.",
"best_practice_id": "AB104",
"lastUpdateTime": "1602711343000"
}
],
"logs-count": 1,
"query-id": "admin_6e9fce3a-4cd7-48b9-a3e7-14b701fb204c"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If status code 200 (is_success = true): Print "Successfully retrieved logs from Check Point FireWall!"
Print "Action wasn't able to retrieve logs from Check Point FireWall! Reason: {0}. Code: {1}".format(message, code) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: Print "Error executing action "Show Logs". Reason: {0}''.format(error.Stacktrace) |
General |
Case Wall Table Log type = Log |
Case Wall Name: Results Case Wall Columns: ID (mapped as id) Title (mapped as cb_title) Severity (mapped as severity) Subject (mapped as subject) Index Time (mapped as index_time) |
General |
Case Wall Table Log type = Audit |
Case Wall Name: Results Case Wall Columns: ID (mapped as id) Title (mapped as calc_desc) Severity (mapped as severity) Subject (mapped as subject) Time (mapped as time) |
General |
Download Log Attachment
Description
Download log attachments from Check Point FireWall.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Log IDs | String | N/A | Yes | Specify the comma-separated list of log IDs from which you want to download attachments. |
| Download Folder Path | String | N/A | Yes | Specify the absolute path for the folder where the action should store the attachments. |
| Create Case Wall Attachment | Checkbox | N/A | No | If enabled, action will create a case wall attachment for each successfully downloaded file. Note: that attachment will only be created if it"s size is less than 3 MB. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"tasks": [
{
"task-id": "01234567-89ab-cdef-8273-cee81a82701c",
"task-name": "Packet Capture operation",
"status": "succeeded",
"progress-percentage": 100,
"suppressed": false,
"task-details": [
{
"attachments": [
{
"base64-data": "...",
"file-name": "Anti-Virus-blob-time1602759307.id5a5b7500.blade05.cap"
}
]
}
]
"absolute_path": "{folder_path}"
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If "status" == "succeeded" for at least one log (is_success = true): Print "Successfully retrieved attachments in Check Point FireWall from the following logs:{0}".format(log ids)
Print "Action wasn't able to retrieve attachments in Check Point FireWall from the following logs:{0}".format(log ids) If "status" != "succeeded" for all logs (is_success = true): Print "No attachments were downloaded" The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: Print "Error executing action "Download Log Attachment". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Attachment | If it"s not reaching the size limit. For each successful attachment download. "{0}".format(task-details/attachment/file-name) |
General |