Introduction
In this document, the integration processes to provide Checkpoint automation with Logsign Responses module will be explained.
When the procedures in this document are applied; You can provide block/unblock operations with a malicious ip, domain address that triggers your alarms and correlations with Checkpoint firewall.
Qualification
CheckPoint firewall is a firewall product that offers a new generation firewall (NGFW) service. Having API support allows us to block/unblock operations at the firewall source with logsign.
Logsign alarm communicates with the product via API protocol by providing automation with correlation triggering or when manually block / unblock operation is requested from the incident module, and blocking is provided by using the run-script module in the checkpoint system.
As explained in the image above, the flow chart consists of 3 steps.
1. Your alarm with action rule defined in Logsign is triggered.
2. It communicates with Logsign via Checkpoint API.
3. Address block/unblock operation is provided with the run-script module.
Requirements
- Checkpoint Super User
- Checkpoint Trusted Clients Address Permission
- Logsign 6.3.17+
- Checkpoint API v1.6+ (R80.40+)
- Firewall permission;
- Logsign IPs -> Checkpoint management IPs -> 443 (api port) must be allowed.
- Checkpoint R80, R81
Integration
Checkpoint Configuration
For the integration of checkpoint firewall responses with Logsign, a user must be created in the checkpoint firewall, it is a necessary process to obtain the session id information by providing the user credentials through the created user api.
1- For Checkpoint configurations, a user with admin authority must login to the smart console application.
2- User must be created.
For the run script model, the user's super user authority is required, otherwise we will get the following error and it will cause the integration to fail.
We complete the process with the OK button.
3- Configuring Trusted Clients;
We define the logsign cluster ip information, if you are using a standalone logsign, it must be configured from the IPv4 address section.
4- API configuration;
In the Trusted Client section, a configuration must be provided for the IPs we allow to access the API.
Logsign Responses Configuration
1- A user with admin authority must log in to logsign;
Settings -> Responses -> Configure ;
Finally, click the create button to complete the process.