The Check Point Firewall Block Addon allows users to block IPs on their Check Point firewalls as an alert action.

Release Notes

Version 1.0.1   July 10, 2018

Minor edits to logo and Readme

---

 

Check Point Block Alert Action For Splunk

TA-Check_Point_Block

If you’re a Splunk user that also has Check Point firewalls, this app is for you.  This app will allow you to easily block IP addresses in your Splunk events to supported Check Point firewalls, using the Suspicious Activity Monitor (SAM) functionality.

Compatible Versions:

Version 1.0.0 of the Check Point Block Alert Action For Splunk is compatible with:

Splunk Enterprise versions:
7.0, 7.1

Vendor Products:
Check Point Management API
Check Point R80, R80.10

Prerequisites and Requirements:

This app requires that the Check Point management server controlling gateways be running a version which supports the R80.x web API.  At the time of this writing, this includes version R80.10 and R80. Standalone gateways are supported in addition to management servers handling multiple gateways.  Gateways do not necessarily need to be running a version running the API if they are centrally managed by a management server which supports the API. By default, the app will issue a block command to all managed gateways. The Check Point API must be configured to allow remote connections in order for this to operate; the management API doesn’t allow remote access by default. To enable API access, open SmartConsole and navigate to Manage and Settings -> Blades -> Management API -> Advanced Settings. If this setting is changed, you will need to restart the API by SSHing into the management server and running the api restart command.

To confirm that the API is usable and available remotely, run the api status command.  If Accessibility shows “Require all granted” it means that any system can access the API (on R80 this will show “Allow all”).

[Expert@ccnfw01:0]# api status

API Settings:
---------------------
Accessibility:                      Require all granted
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   14472
CPM       Started   14350     Check Point Security Management Server is running and ready
FWM       Started   13807

Port Details:
-------------------
JETTY Internal Port:      50276
APACHE Gaia Port:         443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Note that if there is a firewall between your Splunk search head and the management server, your firewall rules will also require that your search head be allowed to access the API on the management server.  This will generally be accomplished by a firewall management rule in your policy, likely above the stealth rule. A typical firewall rule will look something like this:

• Source: Splunk search head
• Destination: Check Point Management server
• Service: Check Point API (typically TCP/443 - HTTPS)

You may also need to add the Splunk search head to the GUI client list within cpconfig on your management server.

App Configuration:

Upon installing the app, you will be prompted to complete the initial configuration:

Configure these options as follows.  For credentials:

The username and password provided must be associated with an account that has API access on all configured management servers. We recommend that a dedicated service account be used as opposed to a regular administrator account.

To test this account for API functionality, run the mgmt_cli login command on your management server.  You should see output similar to this:

[Expert@ccnfw01:0]# mgmt_cli login
Username: fwadmin
Password:
uid: "5afb8709-3105-401d-9043-f90762f0bbfd"
sid: "46vHjiELE84OenXZdwF36jGaJK07V01jDl6b63-BXa8"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
Last-login-was-at:
  posix: 1530215820248
  iso-8601: "2018-06-28T15:57-0400"
api-server-version: "1.1"

If the account is not correctly configured, or your credentials are incorrect, you will see the following:

[Expert@ccnfw01:0]# mgmt_cli login
Username: fwadmin
Password:
code: "err_login_failed"
message: "Authentication to server failed."

For the Check Point Setup section:

• You will need to know the IP address or DNS name for the management server, as well as the configured object name in SmartConsole.  The first section provides API connectivity, the second provides data for the fw sam command executed by the app.
• The API port must be specified in mgmt_ip:port notation.  For example, if your management server is running at 192.168.20.1 and the API is running on port 443, you would enter 192.168.20.1:443 into the configuration.

• Multiple management servers are supported if they are separated by commas.  The order used for the first and second configuration box must match. For example, if you had two management servers, you would enter the following configuration:
  • 192.168.20.1:443,192.168.30.1:443
  • ccnfw01,ccnfw02

In this configuration, both of these management servers must have the same API user configured, and 192.168.20.1 is the IP for ccnfw01, and 192.168.30.1 is the IP for ccnfw02.

The default block time is configured in seconds.  For example, to block an IP address for 1 hour, enter 3600 (60 seconds x 60 minutes = 3600 seconds). This value will always be used by the workflow action.

Using the App

There are two mechanisms for invoking the block action, a workflow action and an adaptive response (available within the Splunk Enterprise Security Suite).  

Workflow Action:

The workflow action can be invoked from the Actions drop down for any field with an IP address in an event.  

When selecting the (Non-IR) Issue a block command of IP to configured Check Point system workflow action, a new window will pop up with a warning that you are about to execute a command.  From here, you can investigate the command or run it.

This will execute the following search command:

Once the block executes, you will observe a Splunk FW SAM task in the recent tasks view in SmartConsole.

To view the active FW SAM rules, navigate to Logs & Monitor, open a new tab, click on Tunnel & User Monitoring under External Apps, and click the button in the toolbar to view Suspicious Activity Monitor Rules.

From here you can view all active Enforced SAM rules.

Adaptive Response:

Within a supported view in the Splunk Enterprise Security Suite, choose Actions -> Run Adaptive Response Actions:

Note: The “Issue a block command” workflow actions are NOT supported within Enterprise Security.

Choose “Add New Response Action”, and choose “Block an IP address”:

Confirm that the appropriate field is selected, and specify the time to block the IP:

Click Run, and observe that the “Block an IP address” action has been dispatched.  

You will also see a completed task in SmartConsole for this action: