Check Point Firewall

Integration version: 10.0

Configure Check Point Firewall integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Server Address String xx.xx.xx.xx:443 Yes The IP address of the Check Point Firewall server.
Username String N/A Yes The email address of the user which should be used to connect to the Check Point Firewall.
Domain String N/A No The domain of the user. E.g. if the email address of the user is user@example.com, the domain will be example.com
Password Password N/A Yes The password of the according user.
Policy Name String standard Yes Name of the policy.
Verify SSL Checkbox Unchecked No Use this checkbox, if your Check Point Firewall connection requires an SSL verification.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Add a SAM Rule

Description

Add a SAM (suspicious activity monitoring) rule for Check Point Firewall. Please refer to the Check Point fw_sam command criteria section documentation for available IP, netmask, port, and protocol combinations.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Security Gateway to Create SAM Rule on String N/A Yes

Specify the name of Security Gateway to create a rule for.

Source IP String N/A No Specify the source IP to be added to the rule.
Source Netmask String N/A No Specify the source netmask to be added to the rule.
Destination IP String N/A No Specify the destination IP to be added to the rule.
Destination Netmask String N/A No Specify the destination netmask to be added to the rule.
Port Integer N/A No Specify the port number to be added to the rule, for example, 5005.
Protocol String N/A No Specify the protocol name to be added to the rule, for example, TCP.
Expiration Seconds N/A No Specify for how long in seconds the newly added SAM rule should be active, for example, 4. If nothing is specified - then the rule never expires.
Action for the Matching Connections DDL Drop Yes Specify the action that should be executed for the matching connections.
How to Track Matching Connections DDL Log Yes Specify how to track matching connections.
Close Connections Checkbox Checked No Specify if the existing matching connections should be closed.

Run On

The action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "tasks": [
        {
            "uid": "8163c4f0-a269-4628-9bb3-0ba597e9694c",
            "name": "gaia80.10 - CW Test fw sam",
            "type": "CdmTaskNotification",
            "domain": {
                "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
                "name": "SMC User",
                "domain-type": "domain"
            },
            "task-id": "4ca124e5-c9ce-45cf-8275-4b119e535d3e",
            "task-name": "gaia80.10 - CW Test fw sam",
            "status": "succeeded",
            "progress-percentage": 100,
            "start-time": {
                "posix": 1594959450832,
                "iso-8601": "2020-07-17T07:17+0300"
            },
            "last-update-time": {
                "posix": 1594959453264,
                "iso-8601": "2020-07-17T07:17+0300"
            },
            "suppressed": false,
            "task-details": [
                {
                    "uid": "94108666-b9d6-4165-80ab-13078c03395b",
                    "name": null,
                    "domain": {
                        "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
                        "name": "SMC User",
                        "domain-type": "domain"
                    },
                    "color": "black",
                    "statusCode": "succeeded",
                    "statusDescription": "sam: request for 'Inhibit Drop Close src ip 8.9.10.11 on All' acknowledged, sam: gaia80.10 (0/1) successfully completed 'Inhibit Drop Close src ip 8.9.10.11 on All' processing, ...",
                    "taskNotification": "8163c4f0-a269-4628-9bb3-0ba597e9694c",
                    "gatewayId": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
                    "gatewayName": "",
                    "transactionId": 552194328,
                    "responseMessage": "",
                    "responseError": "c2FtOiByZXF1ZXN0IGZvciAnSW5oaWJpdCBEcm9wIENsb3NlIHNyYyBpcCA4LjkuMTAuMTEgb24gQWxsJyBhY2tub3dsZWRnZWQKc2FtOiBnYWlhODAuMTAgKDAvMSkgc3VjY2Vzc2Z1bGx5IGNvbXBsZXRlZCAnSW5oaWJpdCBEcm9wIENsb3NlIHNyYyBpcCA4LjkuMTAuMTEgb24gQWxsJyBwcm9jZXNzaW5nCnNhbTogcmVxdWVzdCBmb3IgJ0luaGliaXQgRHJvcCBDbG9zZSBzcmMgaXAgOC45LjEwLjExIG9uIEFsbCcgZG9uZQo=",
                    "meta-info": {
                        "validation-state": "ok",
                        "last-modify-time": {
                            "posix": 1594959453332,
                            "iso-8601": "2020-07-17T07:17+0300"
                        },
                        "last-modifier": "admin",
                        "creation-time": {
                            "posix": 1594959451003,
                            "iso-8601": "2020-07-17T07:17+0300"
                        },
                        "creator": "admin"
                    },
                    "tags": [],
                    "icon": "General/globalsNa",
                    "comments": "",
                    "display-name": "",
                    "customFields": null
                }
            ],
            "comments": "Completed",
            "color": "black",
            "icon": "General/globalsNa",
            "tags": [],
            "meta-info": {
                "lock": "unlocked",
                "validation-state": "ok",
                "last-modify-time": {
                    "posix": 1594959453299,
                    "iso-8601": "2020-07-17T07:17+0300"
                },
                "last-modifier": "admin",
                "creation-time": {
                    "posix": 1594959450933,
                    "iso-8601": "2020-07-17T07:17+0300"
                },
                "creator": "admin"
            },
            "read-only": false
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print "Successfully added SAM rule with the following command: {0}".format(script_text_from_run-script). If show-task return base64 encoded status message in responseError (or responseMessage) param - add it fo the response too: "fw sam command output: {0}".format(responseError.text)
  • If show-task returns "partially succeeded" status: "SAM rule addition with the following fw sam command partially succeededsucceded: {0}".format(script_text_from_run-script). If show-task return base64 encoded status message in responseError (or responseMessage) param - add it fo the response too: "fw sam command output: {0}".format(responseError.text)
  • If fail to add SAM rule, show-task returns failed: print "Failed to add SAM rule with the following command: {0}".format(script_text_from_run-script). If show-task return base64 encoded status message in responseError (or responseMessage) param - add it fo the response too: "fw sam command output: {0}".format(responseError.text)
  • If Google Security Operations SOAR action hit timeout waiting for show-task response or waiting for status to change from "in progress": print "Timeout waiting for addition of the following SAM rule: {0}".format(script_text_from_run-script).

The action should fail and stop a playbook execution:

  • If fatal error, like wrong credentials, no connection to server, other: print "Failed to execute Add SAM Rule action! Error is {0}".format(exception.stacktrace)
General

Remove SAM Rule

Description

Remove a SAM (suspicious activity monitoring) rule from Check Point Firewall.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Security Gateway String N/A Yes Specify the name of Security Gateway from where to remove SAM Rule.
Source IP String N/A No Specify the source IP to be added to the rule.
Source Netmask String N/A No Specify the source netmask to be added to the rule.
Destination IP String N/A No Specify the destination IP to be added to the rule.
Destination Netmask String N/A No Specify the destination netmask to be added to the rule.
Port Integer N/A No Specify the port number to be added to the rule, for example, 5005.
Protocol String N/A No Specify the protocol name to be added to the rule, for example, TCP.
Action for the Matching Connections DDL

Drop

Possible Values:

Drop

Reject

Notify

Yes Specify the action that should be executed for the matching connections.
How to Track Matching Connections DDL

Log

Possible Values:

No Log

Log

Alert

Yes Specify how to track matching connections.
Close Connections Checkbox Checked No Specify if the existing matching connections should be closed.

Run On

The action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "tasks": [
        {
            "uid": "6966d094-c7d9-4e46-a824-d4948be71b3e",
            "name": "gaia80.10 - Siemplify-generated-script",
            "type": "CdmTaskNotification",
            "domain": {
                "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
                "name": "SMC User",
                "domain-type": "domain"
            },
            "task-id": "77318892-48aa-4a38-ad94-b9322695c2c8",
            "task-name": "gaia80.10 - Siemplify-generated-script",
            "status": "succeeded",
            "progress-percentage": 100,
            "start-time": {
                "posix": 1608120786139,
                "iso-8601": "2020-12-16T14:13+0200"
            },
            "last-update-time": {
                "posix": 1608120788465,
                "iso-8601": "2020-12-16T14:13+0200"
            },
            "suppressed": false,
            "task-details": [
                {
                    "uid": "c40132ac-547f-4fbf-b4bb-5c7efb7ed76b",
                    "name": null,
                    "domain": {
                        "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
                        "name": "SMC User",
                        "domain-type": "domain"
                    },
                    "color": "black",
                    "statusCode": "succeeded",
                    "statusDescription": "",
                    "taskNotification": "6966d094-c7d9-4e46-a824-d4948be71b3e",
                    "gatewayId": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
                    "gatewayName": "",
                    "transactionId": 194990168,
                    "responseMessage": "",
                    "responseError": "",
                    "meta-info": {
                        "validation-state": "ok",
                        "last-modify-time": {
                            "posix": 1608120788509,
                            "iso-8601": "2020-12-16T14:13+0200"
                        },
                        "last-modifier": "admin",
                        "creation-time": {
                            "posix": 1608120786199,
                            "iso-8601": "2020-12-16T14:13+0200"
                        },
                        "creator": "admin"
                    },
                    "tags": [],
                    "icon": "General/globalsNa",
                    "comments": "",
                    "display-name": "",
                    "customFields": null
                }
            ],
            "comments": "Completed",
            "color": "black",
            "icon": "General/globalsNa",
            "tags": [],
            "meta-info": {
                "lock": "unlocked",
                "validation-state": "ok",
                "last-modify-time": {
                    "posix": 1608120788491,
                    "iso-8601": "2020-12-16T14:13+0200"
                },
                "last-modifier": "admin",
                "creation-time": {
                    "posix": 1608120786184,
                    "iso-8601": "2020-12-16T14:13+0200"
                },
                "creator": "admin"
            },
            "read-only": false
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If status="succeeded" (is_success = true): "Successfully removed SAM rule from the Check Point Firewall using the command: {0}".format(command)

If status code != 200,401 in the first response(is_success=false): "Action wasn't able to remove the SAM rule using the command "{0}" in Check Point FireWall. Reason: {1}".format(command,message)

If in the second response statusCode == failed and base64 responseError is not available (is_success=false): "Action wasn't able to remove the SAM rule using the command "{0}" in Check Point FireWall."

If in the second response statusCode == failed and base64 responseError is available (is_success=false): "Action wasn't able to remove the SAM rule using the command "{0}" in Check Point FireWall. Reason: {1}".format(command, base64 decoded responseError)

If timeout(is_success=false): "Action reached timeout, while waiting to remove SAM Rule. Command used: {0}".format(command)

Async message: Waiting for a task to remove the SAM rule to finish.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Update Alert Status". Reason: {0}''.format(error.Stacktrace)

General

Add IP to Group

Description

Updates the Google Security Operations SOAR Blacklist group with new IP addresses.

Parameters

Parameters Type Default Value Is Mandatory Description
Blacklist Group Name String N/A Yes Name of the group.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_blocked True/False is_blocked:False

Add URL to Group

Description

Updates the group with the URL.

Parameters

Parameter Type Default Value Is Mandatory Description
URLs Group Name String N/A Yes Name of the group.

Run On

This action runs on the URL entity.

Action Results

Script Result
Script Result Name Value Options Example
is_blocked True/False is_blocked:False

List Layers on Site

Description

Retrieve all existing layers.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

List Policies on Site

Description

Retrieve all existing policies.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

Remove IP From Group

Description

Updates the Google Security Operations SOAR Blacklist group to NOT include the IP addresses.

Parameters

Parameter Type Default Value Is Mandatory Description
Blacklist Group Name String N/A Yes Name of the group to remove the address range object from.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_unblocked True/False is_unblocked:False

Remove URL From Group

Description

Updates the group to NOT include the URL.

Parameters

Parameter Type Default Value Is Mandatory Description
URLs Group Name String N/A Yes Name of the group to remove the URL object from.

Run On

This action runs on the URL entity.

Action Results

Script Result
Script Result Name Value Options Example
is_unblocked True/False is_unblocked:False

Run Script

Description

Run the arbitrary script with Check Point run-script API call.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Script text String N/A Yes Script to execute. For example, fw sam command: fw sam -t 600 -I src 8.9.10.12
Target String N/A Yes

Specify Check Point device to execute the script on, for example, gaia80.10

The parameter accepts multiple values as a comma-separated list.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "tasks": [{
        "task-id": "867fef24-647e-40ea-91ef-9b5f8ae83d07",
        "status": "succeeded",
        "domain": {
            "domain-type": "domain",
            "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
            "name": "SMC User"
        },
        "start-time": {
            "posix": 1597737649683,
            "iso-8601": "2020-08-18T11:00+0300"
        },
        "uid": "bb5c4640-9774-45cd-8631-8e80518f4e18",
        "tags": [],
        "last-update-time": {
            "posix": 1597737651783,
            "iso-8601": "2020-08-18T11:00+0300"
        },
        "suppressed": false,
        "progress-percentage": 100,
        "comments": "Completed",
        "task-name": "gaia80.10 - Siemplify-generated-script",
        "color": "black",
        "meta-info": {
            "creation-time": {
                "posix": 1597737649720,
                "iso-8601": "2020-08-18T11:00+0300"
            },
            "validation-state": "ok",
            "creator": "admin",
            "lock": "unlocked",
            "last-modifier": "admin",
            "last-modify-time": {
                "posix": 1597737651810,
                "iso-8601": "2020-08-18T11:00+0300"
            }},
        "task-details": [{
            "display-name": "",
            "domain": {
                "domain-type": "domain",
                "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
                "name": "SMC User"
            }, "gatewayName": "",
            "uid": "b4a71da3-60fc-4785-a379-3bb9f7a0ff2f",
            "icon": "General/globalsNa",
            "tags": [],
            "color": "black",
            "comments": "",
            "name": null,
            "responseError": "",
            "taskNotification": "bb5c4640-9774-45cd-8631-8e80518f4e18",
            "responseMessage": "",
            "gatewayId": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
            "transactionId": 931053033,
            "meta-info": {
                "creation-time": {
                    "posix": 1597737649735,
                    "iso-8601": "2020-08-18T11:00+0300"
                },
                "last-modify-time": {
                    "posix": 1597737651840,
                    "iso-8601": "2020-08-18T11:00+0300"
                },
                "creator": "admin",
                "validation-state": "ok",
                "last-modifier": "admin"
            },
            "customFields": null,
            "statusDescription": "",
            "statusCode": "succeeded"
        }],
        "icon": "General/globalsNa",
        "type": "CdmTaskNotification",
        "read-only": false,
        "name": "gaia80.10 - Siemplify-generated-script"
    }]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If successful run: print "Script executed successfully."
    If show-task return base64 encoded status message in responseError (or responseMessage) param - add it fo the response too: "Script output: {0}".format(responseError.text)
  • If script returns other status rather than succeeded: print "Failed to execute provided script"
    If show-task return base64 encoded status message in responseError (or responseMessage) param - add it fo the response too: "Script output: {0}".format(responseError.text)"

The action should fail and stop a playbook execution:

  • If fatal error, like wrong credentials, no connection to server, other: print "Failed to execute action! Error is {0}".format(exception.stacktrace)
General

Show Logs

Description

Retrieve logs from Check Point FireWall based on the filter.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Query Filter String N/A No Specify the query filter that will be used to return logs.
Time Frame DDL

Last Hour

Possible Values:

Today

Yesterday

Last Hour

Last 24 Hours

Last 30 Days

This Week

This Month

All Time

Yes Specify what time frame should be used for log retrieval.
Log Type DDL

Log

Possible

Values:

Log

Audit

Yes Specify what type of logs should be returned.
Max Logs To Return Integer 50 No Specify how many logs to return. Maximum is 100. This is Check Point FireWall limitation.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "logs": [
        {
            "subject": "Object Manipulation",
            "confidence_level": "N/A",
            "description": "Engine mode: changed from 'by_policy' to 'detect_only' ",
            "type": "System Alert",
            "orig_log_server_attr": [
                {
                    "isCHKPObject": "true",
                    "uuid": "8f36a0de-e0d5-6347-ae51-6fb22d573f04",
                    "resolved": "gaia80.10"
                }
            ],
            "cb_log_type": "Security Alert",
            "user_field": "admin",
            "administrator": "admin",
            "index_time": "2020-10-14T21:35:45Z",
            "d_name": "Check that each Gateway's Anti-Bot configuration is activated according to the policy",
            "violation_date": "3/6/2020 15:03",
            "id": "ac1eca60-81b3-d219-5f87-6f2f000105e8",
            "rounded_received_bytes": "0",
            "cb_title": "Best Practice AB104 status decreased. New Status: Medium",
            "cb_old_status": "Secure",
            "lastUpdateSeqNum": "1513",
            "severity": "Critical",
            "product_family": "Network",
            "product": "Compliance Blade",
            "sequencenum": "1513",
            "rounded_sent_bytes": "0",
            "cb_scan_id": "Thu Oct 15 00:35:39 2020",
            "orig_log_server": "172.30.202.96",
            "cb_changed_objects": "ABSettings_8F36A0DE-E0D5-6347-AE51-6FB22D573F04",
            "additional_info": "Security Alert: Best Practice status was reduced",
            "cb_status": "Medium",
            "orig": "gaia80.10",
            "marker": "@A@@B@1602709200@C@1513",
            "rounded_bytes": "0",
            "orig_log_server_ip": "172.30.202.96",
            "stored": "true",
            "calc_desc": "Best Practice AB104 status decreased. New Status: Medium",
            "logid": "134283267",
            "time": "2020-10-14T21:35:43Z",
            "cb_recommendation": "Each Gateway should be configured to work according to the profiles defined in the Anti-Bot policy. The Activation Mode should be set to 'According to Policy' and not 'Detect Only'.",
            "best_practice_id": "AB104",
            "lastUpdateTime": "1602711343000"
        }
    ],
    "logs-count": 1,
    "query-id": "admin_6e9fce3a-4cd7-48b9-a3e7-14b701fb204c"
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If status code 200 (is_success = true):

Print "Successfully retrieved logs from Check Point FireWall!"


If status code 400 (is_success =false):

Print "Action wasn't able to retrieve logs from Check Point FireWall! Reason: {0}. Code: {1}".format(message, code)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Show Logs". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Log type = Log

Case Wall Name: Results

Case Wall Columns:

ID (mapped as id)

Title (mapped as cb_title)

Severity (mapped as severity)

Subject (mapped as subject)

Index Time (mapped as index_time)

General

Case Wall Table

Log type = Audit

Case Wall Name: Results

Case Wall Columns:

ID (mapped as id)

Title (mapped as calc_desc)

Severity (mapped as severity)

Subject (mapped as subject)

Time (mapped as time)

General

Download Log Attachment

Description

Download log attachments from Check Point FireWall.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Log IDs String N/A Yes Specify the comma-separated list of log IDs from which you want to download attachments.
Download Folder Path String N/A Yes Specify the absolute path for the folder where the action should store the attachments.
Create Case Wall Attachment Checkbox N/A No If enabled, action will create a case wall attachment for each successfully downloaded file. Note: that attachment will only be created if it"s size is less than 3 MB.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "tasks": [
        {
            "task-id": "01234567-89ab-cdef-8273-cee81a82701c",
            "task-name": "Packet Capture operation",
            "status": "succeeded",
            "progress-percentage": 100,
            "suppressed": false,
            "task-details": [
                {
                    "attachments": [
                        {
                            "base64-data": "...",
                            "file-name": "Anti-Virus-blob-time1602759307.id5a5b7500.blade05.cap"
                        }
                    ]
                }
            ]
"absolute_path": "{folder_path}"
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If "status" == "succeeded" for at least one log (is_success = true):

Print "Successfully retrieved attachments in Check Point FireWall from the following logs:{0}".format(log ids)


If "status" != "succeeded" for at least one log (is_success = true):

Print "Action wasn't able to retrieve attachments in Check Point FireWall from the following logs:{0}".format(log ids)

If "status" != "succeeded" for all logs (is_success = true):

Print "No attachments were downloaded"

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Download Log Attachment". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Attachment

If it"s not reaching the size limit.

For each successful attachment download.

"{0}".format(task-details/attachment/file-name)

General