CheckPoint Firewall Integration

Introduction

In this document, the integration processes to provide Checkpoint automation with Logsign Responses module will be explained.

When the procedures in this document are applied; You can provide block/unblock operations with a malicious ip, domain address that triggers your alarms and correlations with Checkpoint firewall.

 

Qualification

CheckPoint firewall is a firewall product that offers a new generation firewall (NGFW) service. Having API support allows us to block/unblock operations at the firewall source with logsign.

Logsign alarm communicates with the product via API protocol by providing automation with correlation triggering or when manually block / unblock operation is requested from the incident module, and blocking is provided by using the run-script module in the checkpoint system.

1.png

 

As explained in the image above, the flow chart consists of 3 steps.

1. Your alarm with action rule defined in Logsign is triggered.

2. It communicates with Logsign via Checkpoint API.

3. Address block/unblock operation is provided with the run-script module.

 

2.png

 

Requirements

- Checkpoint Super User
- Checkpoint Trusted Clients Address Permission
- Logsign 6.3.17+
- Checkpoint API v1.6+ (R80.40+)
- Firewall permission;
          - Logsign IPs -> Checkpoint management IPs -> 443 (api port) must be allowed.


- Checkpoint R80, R81

 

 

Integration
Checkpoint Configuration

For the integration of checkpoint firewall responses with Logsign, a user must be created in the checkpoint firewall, it is a necessary process to obtain the session id information by providing the user credentials through the created user api.

 

1- For Checkpoint configurations, a user with admin authority must login to the smart console application.

 

3.png

 

2- User must be created.

4.png5.png

6.png

7.png

 

For the run script model, the user's super user authority is required, otherwise we will get the following error and it will cause the integration to fail.

8.png

9.png

We complete the process with the OK button.

 


3-  Configuring Trusted Clients;

10.png

11.png

We define the logsign cluster ip information, if you are using a standalone logsign, it must be configured from the IPv4 address section.

 


4- API configuration;

12.png

In the Trusted Client section, a configuration must be provided for the IPs we allow to access the API.

 

Logsign Responses Configuration

 


1-  A user with admin authority must log in to logsign;

Settings -> Responses -> Configure ;

13.png

14.png

15.png

 

Finally, click the create button to complete the process.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.