Check Point Firewall

Use the Check Point Firewall integration to identify and control applications by user and scan content to stop threats.

Configure Check Point on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Check Point.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://192.168.0.1)
    • Port
    • Username
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get items in an access rulebase


Show items in an access rulebase configured in Check Point Firewall.

Base Command

checkpoint-show-access-rule-base

Input
Argument Name Description Required
name The object name. Should be unique in the domain. Required
uid The unique identifier of the object. Optional

Context Output
Path Type Description
CheckpointFWRule.Name string The object name. Should be unique in the domain.
CheckpointFWRule.UID string The unique identifier of the object.
CheckpointFWRule.Type string The object type.
CheckpointFWRule.Action string The level of detail returned depends on the “details-level” field of the request (Accept, Drop, Apply Layer, Ask, Info). This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWRule.ActionSetting string Action settings.
CheckpointFWRule.CustomFields string Custom fields.
CheckpointFWRule.Data string The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWRule.Data.Name string The object name. Should be unique in the domain.
CheckpointFWRule.UID string The unique identifier of the object.
CheckpointFWRule.Type string The object type.
CheckpointFWRule.Data.Domain string Information about the domain that the object belongs to.
CheckpointFWRule.DataDirection string The direction the file types processing is applied to.
CheckpointFWRule.DataNegate string “True” if negate is set for data.
CheckpointFWRule.Destination string Collection of network objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWRule.DestinationNegate string “True” if negate is set for the destination.
CheckpointFWRule.Domain string Information about the domain that the object belongs to.
CheckpointFWRule.Domain.Name string The object name. Should be unique in the domain.
CheckpointFWRule.Domain.UID string The unique identifier of the object.
CheckpointFWRule.Domain.Type string The domain type.
CheckpointFWRule.Enabled string Whether the rule is enabled or disabled.
CheckpointFWRule.Hits number The hits count object.
CheckpointFWRule.Hits.FirstDate string The first date of hits.
CheckpointFWRule.Hits.LastDate string The last date of hits.
CheckpointFWRule.Hits.Level string The level of hits.
CheckpointFWRule.Hits.Percentage string The percentage of hits.
CheckpointFWRule.Hits.Value string The value of hits.

Command Example
!checkpoint-show-access-rule-base name="Network"
Human Readable Output

screen shot 2019-02-18 at 16 15 48

2. Set attributes of an access rule object


Sets attributes of an access rule object configured in Check Point Firewall.

Base Command

checkpoint-set-rule

Input
Argument Name Description Required
uid The unique identifier of the object. Optional
name The object name. Optional
rule_number The rule number. Optional
layer The layer that the rule belongs to, identified by the name or UID. Required
enabled If “true”, the rule will be enabled. If “false”, the rule will be disabled. Optional

Context Output
Path Type Description
CheckpointFWRule.Name string The object name. Should be unique in the domain.
CheckpointFWRule.UID string The unique identifier of the object.
CheckpointFWRule.Type string The object type.
CheckpointFWRule.Action string The level of detail returned depends on the “details-level” field of the request (Accept, Drop, Apply Layer, Ask, Info). This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWRule.ActionSetting string Action settings.
CheckpointFWRule.CustomFields string Custom fields.
CheckpointFWRule.Data string The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWRule.Data.Name string The object name. Should be unique in the domain.
CheckpointFWRule.UID string The unique identifier of the object.
CheckpointFWRule.Type string The object type.
CheckpointFWRule.Data.Domain string Information about the domain that the object belongs to.
CheckpointFWRule.DataDirection string The direction the file types processing is applied to.
CheckpointFWRule.DataNegate string “True” if negate is set for data.
CheckpointFWRule.Destination string Collection of network objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWRule.DestinationNegate string “True” if negate is set for the destination.
CheckpointFWRule.Domain string Information about the domain that the object belongs to.
CheckpointFWRule.Domain.Name string Object name. Should be unique in domain
CheckpointFWRule.Domain.UID string The unique identifier of the object.
CheckpointFWRule.Domain.Type string Domain type.
CheckpointFWRule.Enabled string Whether the rule is enabled or disabled.
CheckpointFWRule.Hits number The hits count object.
CheckpointFWRule.Hits.FirstDate string The first date of hits.
CheckpointFWRule.Hits.LastDate string The last date of hits.
CheckpointFWRule.Hits.Level string The level of hits.
CheckpointFWRule.Hits.Percentage string The percentage of hits.
CheckpointFWRule.Hits.Value string The value of hits.

Command Example
!checkpoint-set-rule name="bar-from-6.6.6.5" layer="8a5e96fb-c793-457f-b78f-c667074223a5"
Human Readable Output

screen shot 2019-02-18 at 13 55 04

3. Get the status of a Check Point task


Shows status of a Check Point task, by task UUID.

Base Command

checkpoint-task-status

Input
Argument Name Description Required
task_id A CSV list of task unique identifiers. Required

Context Output
Path Type Description
CheckpointFWTask.Name string The object name. Should be unique in the domain.
CheckpointFWTask.UID string The unique identifier of the object.
CheckpointFWTask.Type string The object type.
CheckpointFWTask.Domain string Information about the domain that the object belongs to.
CheckpointFWTask.Domain.Name string The object name. Should be unique in the domain.
CheckpointFWTask.Domain.UID string The unique identifier of the object.
CheckpointFWTask.Domain.Type string Domain type.
CheckpointFWTask.LastUpdateTime string The last update date and time (in international ISO 8601 format).
CheckpointFWTask.MetaInfo.CreationTime string The object creation time.
CheckpointFWTask.MetaInfo.Creator string The object creator.
CheckpointFWTask.MetaInfo.LastModifier string The last modifier of object.
CheckpointFWTask.MetaInfo.LastModifyTime string The object last modification time.
CheckpointFWTask.MetaInfo.LockStatus string The object lock state. Editing objects locked by other sessions is not supported.
CheckpointFWTask.MetaInfo.ValidationStatus string The object validation state (ok, info, warning, error).
CheckpointFWTask.ProgressPercentage string The object progress percentage.
CheckpointFWTask.ReadOnly string Read only.
CheckpointFWTask.StartTime string The start time date and time (in international ISO 8601 format).
CheckpointFWTask.Status string The task status.
CheckpointFWTask.Suppressed string Is suppressed.
CheckpointFWTask.Tags string A collection of tag objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWTask.Details string The task details. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWTask.ID string The asynchronous unique identifier of the task.
CheckpointFWTask.TaskName string The task name.

4. Get all host objects


Shows all host objects configured in Check Point Firewall.

Base Command

checkpoint-show-hosts

Input
Argument Name Description Required
limit The maximum number of results to return. Optional
offset The number of results to skip before starting to return them. Optional
order Sorts results by the given field. The default is the random order. Optional

Context Output
Path Type Description
Endpoint.Hostname string Object name. Should be unique in domain
Endpoint.UID string The unique identifier of the object.
Endpoint.Type string The object type.
Endpoint.Domain string Information about the domain that the object belongs to.
Endpoint.Domain.Name string The object name. Should be unique in the domain.
Endpoint.Domain.UID string Object unique identifier
Endpoint.Domain.Type string Type of the object

Command Example
!checkpoint-show-hosts
Human Readable Output

screen shot 2019-02-18 at 14 26 54

5. Block an IP address


Block one or more IP addresses using Checkpoint Firewall

Base Command

checkpoint-block-ip

Input
Argument Name Description Required
ip A CSV list of IP addresses to block. Required
direction Whether to block traffic “to” or “from” the IPs, or “both”. Default is “both”. Optional
rulename The base name for added rules inside Check Point DB. Required
ipname The base name for added IP addresses/hosts inside Check Point DB. Required

Context Output
Path Type Description
CheckpointFWRule.Name string The object name. Should be unique in the domain.
CheckpointFWRule.UID string The unique identifier of the object.
CheckpointFWRule.Type string Type of the object
CheckpointFWRule.Action string The level of detail returned depends on the "details-level" field of the request (Accept, Drop, Apply Layer, Ask, Info). This table shows the level of detail shown when 'details-level" is set to standard.
CheckpointFWRule.ActionSetting string Action settings.
CheckpointFWRule.CustomFields string Custom fields.
CheckpointFWRule.Data string The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard.
CheckpointFWRule.Data.Name string The object name. Should be unique in the domain.
CheckpointFWRule.UID string The unique identifier of the object.
CheckpointFWRule.Type string The object type.
CheckpointFWRule.Data.Domain string Information about the domain that the object belongs to.
CheckpointFWRule.DataDirection string The direction the file types processing is applied to.
CheckpointFWRule.DataNegate string "True" if negate is set for data.
CheckpointFWRule.Destination string A collection of network objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when details-level is set to standard.
CheckpointFWRule.DestinationNegate string “True” if negate is set for the destination.
CheckpointFWRule.Domain string Information about the domain that the object belongs to.
CheckpointFWRule.Domain.Name string The object name. Should be unique in the domain.
CheckpointFWRule.Domain.UID string The unique identifer of the object.
CheckpointFWRule.Domain.Type string The domain type.
CheckpointFWRule.Enabled string Whether the rule is enabled or disabled.
CheckpointFWRule.Hits number Hits count object
CheckpointFWRule.Hits.FirstDate string First of hits
CheckpointFWRule.Hits.LastDate string The last date of hits.
CheckpointFWRule.Hits.Level string The level of hits.
CheckpointFWRule.Hits.Percentage string The percentage of hits.
CheckpointFWRule.Hits.Value string The value of hits.

6. Use the Check Point Management API


Enables you to use the Check Point Management API. When using this command, the required format is: ‘command’=.
This command requires management server R80 or later.

Base Command

checkpoint

Input

There are no inputs for this command.

Context Output

There is no context output for this command.

7. Delete a rule


Deletes a rule from Check Point Firewall.

Base Command

checkpoint-delete-rule

Input
Argument Name Description Required
uid The UID of the rule. Optional
name The name of the rule. Optional
layer The layer, for example: Network Required

Context Output

There is no context output for this command.

Troubleshooting

If you receive the following 400 Bad Request error when running the checkpoint-block-ip command, you need to disconnect (clear) all other sessions in the SmartConsole, even if they appear to be disconnected. In SmartConsole, navigate to Manage & Settings > Sessions > View Sessions .

400 Bad Request - Runtime error: An object is locked by another session