Check Point Firewall provides small, medium, and large customers with the latest data and network security protection in an integrated next-generation firewall platform, which reduces complexity and lowers the total cost of ownership. Whether you need next-generation security for your data center, enterprise, small business or home office, Check Point has a solution for you.
This document provides information about the Check Point Firewall connector, which facilitates automated interactions, with a Check Point Firewall server using FortiSOAR™ playbooks. Add the Checkpoint Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or retrieving a list of blocked IP addresses, URLs, or applications.
Connector Version: 2.1.0
Authored By: Fortinet
Contributor: Mahdi Naili
Certified: No
Following enhancements have been made to the Check Point Firewall Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-checkpoint-firewall
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Check Point Firewall connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter | Description |
|---|---|
| Server URL | IP address or Hostname of the Check Point Firewall server to which you will connect and perform automated operations. |
| Port | Port number used for connecting to the Check Point Firewall server. |
| Username | Username to access the Check Point Firewall server to which you will connect and perform the automated operations. |
| Password | Password to access the Check Point Firewall server to which you will connect and perform the automated operations. |
| IP Block Policy (Network Group Name) | List of the IP Hosts that you have specified in Check Point Firewall for blocking or unblocking IP addresses. See the Blocking or Unblocking IP addresses, URLs, or applications in Check Point Firewall section. |
| URL Block Policy (Application/Site Name) | Name of the URL Group that you have specified in Check Point Firewall for blocking or unblocking URLs. See the Blocking or Unblocking IP addresses, URLs, or applications in Check Point Firewall section. |
| Application Block Policy (Application/Site Group Name) | Name of the application group that you have specified in Check Point Firewall for blocking or unblocking applications. See the Blocking or Unblocking IP addresses, URLs, or applications in Check Point Firewall section. |
| Install Policy After Publish | Select this option, i.e., set it to True to install the Policy API immediately after adding or removing items from the policy.
|
| Domain | Specify the domain name or ID to login to the specified domain. |
| Session Details | Specify session parameters required to set before publish. For example:
{ "session-description": ""}
|
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Block URLs | Blocks URLs using the URL Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
block_url Containment |
| Unblock URLs | Unblocks URLs using the URL Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
unblock_url Remediation |
| Block IP Address | Blocks IP addresses using the IP Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
block_ip Containment |
| Unblock IP Address | Unblocks IP addresses using the IP Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
unblock_ip Remediation |
| Block Applications | Blocks applications using the Application Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
block_app Containment |
| Unblock Applications | Unblocks applications using the Application Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
unblock_app Remediation |
| Get Blocked URLs | Retrieves a list of URLs that are blocked on Check Point Firewall. | get_blocked_url Investigation |
| Get Blocked IP Addresses | Retrieves a list of IP Addresses that are blocked on Check Point Firewall. | get_blocked_ip Investigation |
| Get Blocked Application Names | Retrieves a list of application names that are blocked on Check Point Firewall. | get_blocked_app Investigation |
| Validate Configuration Policies | Checks whether the policies that you have mentioned in the Configuration parameters section are valid or not. | validate_policies Investigation |
| Get Sessions | Retrieves a list of active sessions from Check Point Firewall. | get_sessions Investigation |
| Get Session | Retrieves details of the session, based on the session UID that you have specified, from Check Point Firewall. | get_session Investigation |
| Terminate Session | Terminates a session on Check Point Firewall, based on the Session UID you have specified. | terminate_sessions Remediation |
| Get Applications Detail | Retrieves a list of applications and associated details from Check Point Firewall. | get_app_details Investigation |
| Parameter | Description |
|---|---|
| URLs (In CSV or List Format) | Specify the URLs to block on Check Point Firewall. URLs must be in a list or CSV format. For example: ["www.example1.com", "www.example2.com"] |
The JSON output contains a status message of whether or not the URLs are successfully blocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| URLs (In CSV or List Format) | URLs that you want to unblock on Check Point Firewall. URLs must be in the list or CSV format. For example: ["www.example1.com", "www.example2.com"] |
The JSON output contains a status message of whether or not the URLs are successfully unblocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| IP Address (In CSV or List Format) | IP addresses that you want to block on Check Point Firewall. IP addresses must be in the list or CSV format. For example: ["X.X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully blocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| IP Address (In CSV or List Format) | IP addresses that you want to unblock on Check Point Firewall. IP addresses must be in the list or CSV format. For example: ["X.X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully unblocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Application Names (In CSV or List Format) | List of application names that you want to block on Check Point Firewall. Application names must be in the list format. For example: ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully blocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Application Names (In CSV or List Format) | List of application names that you want to block on Check Point Firewall. Application names must be in the list format. For example: ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully unblocked.
The output contains a non-dictionary value.
None
The JSON output contains a list of URLs that are blocked on Check Point Firewall.
No output schema is available at this time.
None
The JSON output contains a list of IP addresses that are blocked on Check Point Firewall.
Following image displays a sample output:
No output schema is available at this time.
None
The JSON output contains a list of application names that are blocked on Check Point Firewall.
No output schema is available at this time.
None
The output contains the following populated JSON schema:
{
"Application Block Policy": "",
"IP Address Block Policy": "",
"URL Block Policy": ""
}
None
The output contains the following populated JSON schema:
{
"to": "",
"total": "",
"from": "",
"objects": [
{
"domain": {
"domain-type": "",
"name": "",
"uid": ""
},
"uid": "",
"type": ""
}
]
}
| Parameter | Description |
|---|---|
| Session UID | UID of the session for which you want to retrieve details from Check Point Firewall. |
The output contains the following populated JSON schema:
{
"uid": "",
"state": "",
"ip-address": "",
"locks": "",
"application": "",
"connection-mode": "",
"type": "",
"description": "",
"changes": "",
"domain": {
"name": "",
"uid": "",
"domain-type": ""
},
"expired-session": "",
"in-work": ""
}
| Parameter | Description |
|---|---|
| Session UID | UID of the session that you want to discard on Check Point Firewall. |
The output contains the following populated JSON schema:
{
"message": "",
"number-of-discarded-changes": ""
}
| Parameter | Description |
|---|---|
| Start Index | Start Index from where you want to retrieve results (skip the number of records from the result) from Check Point Firewall. |
| Number of Results (Range: 1 to 500) | Number of results you want to display. The maximum number of results that can be displayed is 500. |
The output contains the following populated JSON schema:
{
"to": "",
"total": "",
"from": "",
"objects": [
{
"domain": {
"domain-type": "",
"name": "",
"uid": ""
},
"name": "",
"uid": "",
"type": ""
}
]
}
The Sample - Check Point Firewall - 2.1.0 playbook collection comes bundled with the Check Point Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Check Point Firewall connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
To block or unblock IP Addresses, you must create a policy. The following steps define the process of adding a policy
Destination As any and the Action as Drop, as shown in the image in step 1.IP Block Policy configuration parameter. In our example, we have named our network group as fortisoar-block-ip, therefore, you must enter fortisoar-block-ip in the IP Block Policy field.URL Block Policy configuration parameter. In our example, we have named our application or site object as fortisoar-url-block, therefore, you must enter fortisoar-url-block in the URL Block Policy field.Application Block Policyconfiguration parameter. In our example, we have named our application or site group object as fortisoar-app-block-group, therefore, you must enter fortisoar-app-block-group in the Application Block Policy field.SSH to log on to the management server in the expert mode and type api restart.Check Point Firewall provides small, medium, and large customers with the latest data and network security protection in an integrated next-generation firewall platform, which reduces complexity and lowers the total cost of ownership. Whether you need next-generation security for your data center, enterprise, small business or home office, Check Point has a solution for you.
This document provides information about the Check Point Firewall connector, which facilitates automated interactions, with a Check Point Firewall server using FortiSOAR™ playbooks. Add the Checkpoint Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or retrieving a list of blocked IP addresses, URLs, or applications.
Connector Version: 2.1.0
Authored By: Fortinet
Contributor: Mahdi Naili
Certified: No
Following enhancements have been made to the Check Point Firewall Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-checkpoint-firewall
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Check Point Firewall connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter | Description |
|---|---|
| Server URL | IP address or Hostname of the Check Point Firewall server to which you will connect and perform automated operations. |
| Port | Port number used for connecting to the Check Point Firewall server. |
| Username | Username to access the Check Point Firewall server to which you will connect and perform the automated operations. |
| Password | Password to access the Check Point Firewall server to which you will connect and perform the automated operations. |
| IP Block Policy (Network Group Name) | List of the IP Hosts that you have specified in Check Point Firewall for blocking or unblocking IP addresses. See the Blocking or Unblocking IP addresses, URLs, or applications in Check Point Firewall section. |
| URL Block Policy (Application/Site Name) | Name of the URL Group that you have specified in Check Point Firewall for blocking or unblocking URLs. See the Blocking or Unblocking IP addresses, URLs, or applications in Check Point Firewall section. |
| Application Block Policy (Application/Site Group Name) | Name of the application group that you have specified in Check Point Firewall for blocking or unblocking applications. See the Blocking or Unblocking IP addresses, URLs, or applications in Check Point Firewall section. |
| Install Policy After Publish | Select this option, i.e., set it to True to install the Policy API immediately after adding or removing items from the policy.
|
| Domain | Specify the domain name or ID to login to the specified domain. |
| Session Details | Specify session parameters required to set before publish. For example:
{ "session-description": ""}
|
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Block URLs | Blocks URLs using the URL Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
block_url Containment |
| Unblock URLs | Unblocks URLs using the URL Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
unblock_url Remediation |
| Block IP Address | Blocks IP addresses using the IP Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
block_ip Containment |
| Unblock IP Address | Unblocks IP addresses using the IP Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
unblock_ip Remediation |
| Block Applications | Blocks applications using the Application Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
block_app Containment |
| Unblock Applications | Unblocks applications using the Application Block Policy that you have specified while configuring the Check Point Firewall connector. See the Configuration parameters section. |
unblock_app Remediation |
| Get Blocked URLs | Retrieves a list of URLs that are blocked on Check Point Firewall. | get_blocked_url Investigation |
| Get Blocked IP Addresses | Retrieves a list of IP Addresses that are blocked on Check Point Firewall. | get_blocked_ip Investigation |
| Get Blocked Application Names | Retrieves a list of application names that are blocked on Check Point Firewall. | get_blocked_app Investigation |
| Validate Configuration Policies | Checks whether the policies that you have mentioned in the Configuration parameters section are valid or not. | validate_policies Investigation |
| Get Sessions | Retrieves a list of active sessions from Check Point Firewall. | get_sessions Investigation |
| Get Session | Retrieves details of the session, based on the session UID that you have specified, from Check Point Firewall. | get_session Investigation |
| Terminate Session | Terminates a session on Check Point Firewall, based on the Session UID you have specified. | terminate_sessions Remediation |
| Get Applications Detail | Retrieves a list of applications and associated details from Check Point Firewall. | get_app_details Investigation |
| Parameter | Description |
|---|---|
| URLs (In CSV or List Format) | Specify the URLs to block on Check Point Firewall. URLs must be in a list or CSV format. For example: ["www.example1.com", "www.example2.com"] |
The JSON output contains a status message of whether or not the URLs are successfully blocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| URLs (In CSV or List Format) | URLs that you want to unblock on Check Point Firewall. URLs must be in the list or CSV format. For example: ["www.example1.com", "www.example2.com"] |
The JSON output contains a status message of whether or not the URLs are successfully unblocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| IP Address (In CSV or List Format) | IP addresses that you want to block on Check Point Firewall. IP addresses must be in the list or CSV format. For example: ["X.X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully blocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| IP Address (In CSV or List Format) | IP addresses that you want to unblock on Check Point Firewall. IP addresses must be in the list or CSV format. For example: ["X.X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully unblocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Application Names (In CSV or List Format) | List of application names that you want to block on Check Point Firewall. Application names must be in the list format. For example: ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully blocked.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Application Names (In CSV or List Format) | List of application names that you want to block on Check Point Firewall. Application names must be in the list format. For example: ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully unblocked.
The output contains a non-dictionary value.
None
The JSON output contains a list of URLs that are blocked on Check Point Firewall.
No output schema is available at this time.
None
The JSON output contains a list of IP addresses that are blocked on Check Point Firewall.
Following image displays a sample output:
No output schema is available at this time.
None
The JSON output contains a list of application names that are blocked on Check Point Firewall.
No output schema is available at this time.
None
The output contains the following populated JSON schema:
{
"Application Block Policy": "",
"IP Address Block Policy": "",
"URL Block Policy": ""
}
None
The output contains the following populated JSON schema:
{
"to": "",
"total": "",
"from": "",
"objects": [
{
"domain": {
"domain-type": "",
"name": "",
"uid": ""
},
"uid": "",
"type": ""
}
]
}
| Parameter | Description |
|---|---|
| Session UID | UID of the session for which you want to retrieve details from Check Point Firewall. |
The output contains the following populated JSON schema:
{
"uid": "",
"state": "",
"ip-address": "",
"locks": "",
"application": "",
"connection-mode": "",
"type": "",
"description": "",
"changes": "",
"domain": {
"name": "",
"uid": "",
"domain-type": ""
},
"expired-session": "",
"in-work": ""
}
| Parameter | Description |
|---|---|
| Session UID | UID of the session that you want to discard on Check Point Firewall. |
The output contains the following populated JSON schema:
{
"message": "",
"number-of-discarded-changes": ""
}
| Parameter | Description |
|---|---|
| Start Index | Start Index from where you want to retrieve results (skip the number of records from the result) from Check Point Firewall. |
| Number of Results (Range: 1 to 500) | Number of results you want to display. The maximum number of results that can be displayed is 500. |
The output contains the following populated JSON schema:
{
"to": "",
"total": "",
"from": "",
"objects": [
{
"domain": {
"domain-type": "",
"name": "",
"uid": ""
},
"name": "",
"uid": "",
"type": ""
}
]
}
The Sample - Check Point Firewall - 2.1.0 playbook collection comes bundled with the Check Point Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Check Point Firewall connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
To block or unblock IP Addresses, you must create a policy. The following steps define the process of adding a policy
Destination As any and the Action as Drop, as shown in the image in step 1.IP Block Policy configuration parameter. In our example, we have named our network group as fortisoar-block-ip, therefore, you must enter fortisoar-block-ip in the IP Block Policy field.URL Block Policy configuration parameter. In our example, we have named our application or site object as fortisoar-url-block, therefore, you must enter fortisoar-url-block in the URL Block Policy field.Application Block Policyconfiguration parameter. In our example, we have named our application or site group object as fortisoar-app-block-group, therefore, you must enter fortisoar-app-block-group in the Application Block Policy field.SSH to log on to the management server in the expert mode and type api restart.