The Check Point Firewall Block Addon allows users to block IPs on their Check Point firewalls as an alert action.
Version 1.0.1 July 10, 2018
Minor edits to logo and Readme
If you’re a Splunk user that also has Check Point firewalls, this app is for you. This app will allow you to easily block IP addresses in your Splunk events to supported Check Point firewalls, using the Suspicious Activity Monitor (SAM) functionality.
Version 1.0.0 of the Check Point Block Alert Action For Splunk is compatible with:
Splunk Enterprise versions:
Check Point Management API
Check Point R80, R80.10
Prerequisites and Requirements:
This app requires that the Check Point management server controlling gateways be running a version which supports the R80.x web API. At the time of this writing, this includes version R80.10 and R80. Standalone gateways are supported in addition to management servers handling multiple gateways. Gateways do not necessarily need to be running a version running the API if they are centrally managed by a management server which supports the API. By default, the app will issue a block command to all managed gateways.
The Check Point API must be configured to allow remote connections in order for this to operate; the management API doesn’t allow remote access by default. To enable API access, open SmartConsole and navigate to Manage and Settings -> Blades -> Management API -> Advanced Settings. If this setting is changed, you will need to restart the API by SSHing into the management server and running the api restart command.
To confirm that the API is usable and available remotely, run the api status command. If Accessibility shows “Require all granted” it means that any system can access the API (on R80 this will show “Allow all”).
[Expert@ccnfw01:0]# api status API Settings: --------------------- Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information ------------------------------------------------- API Started 14472 CPM Started 14350 Check Point Security Management Server is running and ready FWM Started 13807 Port Details: ------------------- JETTY Internal Port: 50276 APACHE Gaia Port: 443 -------------------------------------------- Overall API Status: Started -------------------------------------------- API readiness test SUCCESSFUL. The server is up and ready to receive connections Notes: ------------ To collect troubleshooting data, please run 'api status -s <comment>'
Note that if there is a firewall between your Splunk search head and the management server, your firewall rules will also require that your search head be allowed to access the API on the management server. This will generally be accomplished by a firewall management rule in your policy, likely above the stealth rule. A typical firewall rule will look something like this:
You may also need to add the Splunk search head to the GUI client list within cpconfig on your management server.
Upon installing the app, you will be prompted to complete the initial configuration:
Configure these options as follows. For credentials:
The username and password provided must be associated with an account that has API access on all configured management servers. We recommend that a dedicated service account be used as opposed to a regular administrator account.
To test this account for API functionality, run the mgmt_cli login command on your management server. You should see output similar to this:
[Expert@ccnfw01:0]# mgmt_cli login Username: fwadmin Password: uid: "5afb8709-3105-401d-9043-f90762f0bbfd" sid: "46vHjiELE84OenXZdwF36jGaJK07V01jDl6b63-BXa8" url: "https://127.0.0.1:443/web_api" session-timeout: 600 Last-login-was-at: posix: 1530215820248 iso-8601: "2018-06-28T15:57-0400" api-server-version: "1.1"
If the account is not correctly configured, or your credentials are incorrect, you will see the following:
[Expert@ccnfw01:0]# mgmt_cli login Username: fwadmin Password: code: "err_login_failed" message: "Authentication to server failed."
For the Check Point Setup section:
In this configuration, both of these management servers must have the same API user configured, and 192.168.20.1 is the IP for ccnfw01, and 192.168.30.1 is the IP for ccnfw02.
The default block time is configured in seconds. For example, to block an IP address for 1 hour, enter 3600 (60 seconds x 60 minutes = 3600 seconds). This value will always be used by the workflow action.
Using the App
There are two mechanisms for invoking the block action, a workflow action and an adaptive response (available within the Splunk Enterprise Security Suite).
The workflow action can be invoked from the Actions drop down for any field with an IP address in an event.
When selecting the (Non-IR) Issue a block command of IP to configured Check Point system workflow action, a new window will pop up with a warning that you are about to execute a command. From here, you can investigate the command or run it.
This will execute the following search command:
Once the block executes, you will observe a Splunk FW SAM task in the recent tasks view in SmartConsole.
To view the active FW SAM rules, navigate to Logs & Monitor, open a new tab, click on Tunnel & User Monitoring under External Apps, and click the button in the toolbar to view Suspicious Activity Monitor Rules.
From here you can view all active Enforced SAM rules.
Within a supported view in the Splunk Enterprise Security Suite, choose Actions -> Run Adaptive Response Actions:
Note: The “Issue a block command” workflow actions are NOT supported within Enterprise Security.
Choose “Add New Response Action”, and choose “Block an IP address”:
Confirm that the appropriate field is selected, and specify the time to block the IP:
Click Run, and observe that the “Block an IP address” action has been dispatched.
You will also see a completed task in SmartConsole for this action:
If you're looking for something different than the typical "one-size-fits-all" security mentality, you've come to the right place.