Introduction
This document explains the process of blocking an address manually on a Checkpoint firewall using Logsign.
By following the steps in this document, you will be able to block an address in Checkpoint firewall using Logsign for which you want to take action in the incidents module.
Qualification
CheckPoint firewall is a firewall product that offers next-generation firewall (NGFW) services. With API support, we can perform block/unblock operations in the firewall source with Logsign.
Logsign alarm communicates with the product via the API protocol when automation is provided with correlation triggering or manual block/unblock operation is desired from the incident module. This is achieved by using the run-script module in the checkpoint system.
For more information, you can check the guide below.
In case of an triggered alarm in an incident, a case is created or your existing case is updated, and a manual address blocking process can be performed with the opened case.
For more detailed information, you can check the article below.
Incident Management and Response
Requirements
- Checkpoint Responses Integration
- License - Incident Module
- An open case
Checkpoint Action
1- All events that occur in the system can be accessed from the "Events" tab on the Logsign web interface. Under the Events tab, values such as the number of events, priority, risk score, status, owner, and category can be monitored. Analyses can be performed, and the action module can be used.
2- Clicking on an event will open the event card screen. By clicking the "More" button, you can access all the detailed information about the event.
On the event detail screen, Action Object, risk score value, structure, and asset information can be seen. It is also possible to track how many times the event was triggered and previous responses.
3- NIST Intervention Stages for events can be monitored from the top right, and the intervention feature can be used with a single click using the "Action Button" in the bottom right corner.
4- After selecting the source to be blocked, the necessary information is filled out as below, and the action process is completed with the Submit button.
With Expire Time, we can define the duration of the Block process. A maximum of 48-hour blocking process can be performed in this field.
Method; With the Unblock operation, you can perform the unblocking process of a blocked address. You can also easily perform the unblock operation as shown below.