Incident Management - Checkpoint Action

Introduction

This document explains the process of blocking an address manually on a Checkpoint firewall using Logsign.

By following the steps in this document, you will be able to block an address in Checkpoint firewall using Logsign for which you want to take action in the incidents module.

 

Qualification

CheckPoint firewall is a firewall product that offers next-generation firewall (NGFW) services. With API support, we can perform block/unblock operations in the firewall source with Logsign.

Logsign alarm communicates with the product via the API protocol when automation is provided with correlation triggering or manual block/unblock operation is desired from the incident module. This is achieved by using the run-script module in the checkpoint system.

For more information, you can check the guide below.

Checkpoint-API-run-script

In case of an triggered alarm in an incident, a case is created or your existing case is updated, and a manual address blocking process can be performed with the opened case.

For more detailed information, you can check the article below.

Incident Management and Response

 

Requirements

- Checkpoint Responses Integration

- License - Incident Module

- An open case

 

Checkpoint Action

1- All events that occur in the system can be accessed from the "Events" tab on the Logsign web interface. Under the Events tab, values such as the number of events, priority, risk score, status, owner, and category can be monitored. Analyses can be performed, and the action module can be used.

1.png

 

2- Clicking on an event will open the event card screen. By clicking the "More" button, you can access all the detailed information about the event.

2.png

 

On the event detail screen, Action Object, risk score value, structure, and asset information can be seen. It is also possible to track how many times the event was triggered and previous responses.

 

3- NIST Intervention Stages for events can be monitored from the top right, and the intervention feature can be used with a single click using the "Action Button" in the bottom right corner.

3.png

 

4- After selecting the source to be blocked, the necessary information is filled out as below, and the action process is completed with the Submit button.

4.png

With Expire Time, we can define the duration of the Block process. A maximum of 48-hour blocking process can be performed in this field.

Method; With the Unblock operation, you can perform the unblocking process of a blocked address. You can also easily perform the unblock operation as shown below.

5.png

6.png

 

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.