Check Point Firewall (Deprecated)
This Integration is part of the Check Point Firewall Pack.#
Deprecated
Use the Check Point Firewall v2 integration instead.
Use the Check Point Firewall integration to identify and control applications by user and scan content to stop threats.
Configure Check Point on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Check Point.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://192.168.0.1)
- Port
- Username
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get items in an access rulebase: checkpoint-show-access-rule-base
- Set attributes of an access rule object: checkpoint-set-rule
- Get the status of a Check Point task: checkpoint-task-status
- Get all host objects: checkpoint-show-hosts
- Block an IP address: checkpoint-block-ip
- Use the Check Point Management API: checkpoint
- Delete a rule: checkpoint-delete-rule
1. Get items in an access rulebase
Show items in an access rulebase configured in Check Point Firewall.
Base Command
checkpoint-show-access-rule-base
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The object name. Should be unique in the domain. | Required |
| uid | The unique identifier of the object. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CheckpointFWRule.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Type | string | The object type. |
| CheckpointFWRule.Action | string | The level of detail returned depends on the “details-level” field of the request (Accept, Drop, Apply Layer, Ask, Info). This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWRule.ActionSetting | string | Action settings. |
| CheckpointFWRule.CustomFields | string | Custom fields. |
| CheckpointFWRule.Data | string | The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWRule.Data.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Type | string | The object type. |
| CheckpointFWRule.Data.Domain | string | Information about the domain that the object belongs to. |
| CheckpointFWRule.DataDirection | string | The direction the file types processing is applied to. |
| CheckpointFWRule.DataNegate | string | “True” if negate is set for data. |
| CheckpointFWRule.Destination | string | Collection of network objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWRule.DestinationNegate | string | “True” if negate is set for the destination. |
| CheckpointFWRule.Domain | string | Information about the domain that the object belongs to. |
| CheckpointFWRule.Domain.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.Domain.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Domain.Type | string | The domain type. |
| CheckpointFWRule.Enabled | string | Whether the rule is enabled or disabled. |
| CheckpointFWRule.Hits | number | The hits count object. |
| CheckpointFWRule.Hits.FirstDate | string | The first date of hits. |
| CheckpointFWRule.Hits.LastDate | string | The last date of hits. |
| CheckpointFWRule.Hits.Level | string | The level of hits. |
| CheckpointFWRule.Hits.Percentage | string | The percentage of hits. |
| CheckpointFWRule.Hits.Value | string | The value of hits. |
Command Example
!checkpoint-show-access-rule-base name="Network"
Human Readable Output
2. Set attributes of an access rule object
Sets attributes of an access rule object configured in Check Point Firewall.
Base Command
checkpoint-set-rule
Input
| Argument Name | Description | Required |
|---|---|---|
| uid | The unique identifier of the object. | Optional |
| name | The object name. | Optional |
| rule_number | The rule number. | Optional |
| layer | The layer that the rule belongs to, identified by the name or UID. | Required |
| enabled | If “true”, the rule will be enabled. If “false”, the rule will be disabled. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CheckpointFWRule.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Type | string | The object type. |
| CheckpointFWRule.Action | string | The level of detail returned depends on the “details-level” field of the request (Accept, Drop, Apply Layer, Ask, Info). This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWRule.ActionSetting | string | Action settings. |
| CheckpointFWRule.CustomFields | string | Custom fields. |
| CheckpointFWRule.Data | string | The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWRule.Data.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Type | string | The object type. |
| CheckpointFWRule.Data.Domain | string | Information about the domain that the object belongs to. |
| CheckpointFWRule.DataDirection | string | The direction the file types processing is applied to. |
| CheckpointFWRule.DataNegate | string | “True” if negate is set for data. |
| CheckpointFWRule.Destination | string | Collection of network objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWRule.DestinationNegate | string | “True” if negate is set for the destination. |
| CheckpointFWRule.Domain | string | Information about the domain that the object belongs to. |
| CheckpointFWRule.Domain.Name | string | Object name. Should be unique in domain |
| CheckpointFWRule.Domain.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Domain.Type | string | Domain type. |
| CheckpointFWRule.Enabled | string | Whether the rule is enabled or disabled. |
| CheckpointFWRule.Hits | number | The hits count object. |
| CheckpointFWRule.Hits.FirstDate | string | The first date of hits. |
| CheckpointFWRule.Hits.LastDate | string | The last date of hits. |
| CheckpointFWRule.Hits.Level | string | The level of hits. |
| CheckpointFWRule.Hits.Percentage | string | The percentage of hits. |
| CheckpointFWRule.Hits.Value | string | The value of hits. |
Command Example
!checkpoint-set-rule name="bar-from-6.6.6.5" layer="8a5e96fb-c793-457f-b78f-c667074223a5"
Human Readable Output
3. Get the status of a Check Point task
Shows status of a Check Point task, by task UUID.
Base Command
checkpoint-task-status
Input
| Argument Name | Description | Required |
|---|---|---|
| task_id | A CSV list of task unique identifiers. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CheckpointFWTask.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWTask.UID | string | The unique identifier of the object. |
| CheckpointFWTask.Type | string | The object type. |
| CheckpointFWTask.Domain | string | Information about the domain that the object belongs to. |
| CheckpointFWTask.Domain.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWTask.Domain.UID | string | The unique identifier of the object. |
| CheckpointFWTask.Domain.Type | string | Domain type. |
| CheckpointFWTask.LastUpdateTime | string | The last update date and time (in international ISO 8601 format). |
| CheckpointFWTask.MetaInfo.CreationTime | string | The object creation time. |
| CheckpointFWTask.MetaInfo.Creator | string | The object creator. |
| CheckpointFWTask.MetaInfo.LastModifier | string | The last modifier of object. |
| CheckpointFWTask.MetaInfo.LastModifyTime | string | The object last modification time. |
| CheckpointFWTask.MetaInfo.LockStatus | string | The object lock state. Editing objects locked by other sessions is not supported. |
| CheckpointFWTask.MetaInfo.ValidationStatus | string | The object validation state (ok, info, warning, error). |
| CheckpointFWTask.ProgressPercentage | string | The object progress percentage. |
| CheckpointFWTask.ReadOnly | string | Read only. |
| CheckpointFWTask.StartTime | string | The start time date and time (in international ISO 8601 format). |
| CheckpointFWTask.Status | string | The task status. |
| CheckpointFWTask.Suppressed | string | Is suppressed. |
| CheckpointFWTask.Tags | string | A collection of tag objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWTask.Details | string | The task details. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWTask.ID | string | The asynchronous unique identifier of the task. |
| CheckpointFWTask.TaskName | string | The task name. |
4. Get all host objects
Shows all host objects configured in Check Point Firewall.
Base Command
checkpoint-show-hosts
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of results to return. | Optional |
| offset | The number of results to skip before starting to return them. | Optional |
| order | Sorts results by the given field. The default is the random order. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.Hostname | string | Object name. Should be unique in domain |
| Endpoint.UID | string | The unique identifier of the object. |
| Endpoint.Type | string | The object type. |
| Endpoint.Domain | string | Information about the domain that the object belongs to. |
| Endpoint.Domain.Name | string | The object name. Should be unique in the domain. |
| Endpoint.Domain.UID | string | Object unique identifier |
| Endpoint.Domain.Type | string | Type of the object |
Command Example
!checkpoint-show-hosts
Human Readable Output
5. Block an IP address
Block one or more IP addresses using Checkpoint Firewall
Base Command
checkpoint-block-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | A CSV list of IP addresses to block. | Required |
| direction | Whether to block traffic “to” or “from” the IPs, or “both”. Default is “both”. | Optional |
| rulename | The base name for added rules inside Check Point DB. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CheckpointFWRule.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Type | string | Type of the object |
| CheckpointFWRule.Action | string | The level of detail returned depends on the "details-level" field of the request (Accept, Drop, Apply Layer, Ask, Info). This table shows the level of detail shown when 'details-level" is set to standard. |
| CheckpointFWRule.ActionSetting | string | Action settings. |
| CheckpointFWRule.CustomFields | string | Custom fields. |
| CheckpointFWRule.Data | string | The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when “details-level” is set to standard. |
| CheckpointFWRule.Data.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.UID | string | The unique identifier of the object. |
| CheckpointFWRule.Type | string | The object type. |
| CheckpointFWRule.Data.Domain | string | Information about the domain that the object belongs to. |
| CheckpointFWRule.DataDirection | string | The direction the file types processing is applied to. |
| CheckpointFWRule.DataNegate | string | "True" if negate is set for data. |
| CheckpointFWRule.Destination | string | A collection of network objects identified by the name or UID. The level of detail returned depends on the “details-level” field of the request. This table shows the level of detail shown when details-level is set to standard. |
| CheckpointFWRule.DestinationNegate | string | “True” if negate is set for the destination. |
| CheckpointFWRule.Domain | string | Information about the domain that the object belongs to. |
| CheckpointFWRule.Domain.Name | string | The object name. Should be unique in the domain. |
| CheckpointFWRule.Domain.UID | string | The unique identifer of the object. |
| CheckpointFWRule.Domain.Type | string | The domain type. |
| CheckpointFWRule.Enabled | string | Whether the rule is enabled or disabled. |
| CheckpointFWRule.Hits | number | Hits count object |
| CheckpointFWRule.Hits.FirstDate | string | First of hits |
| CheckpointFWRule.Hits.LastDate | string | The last date of hits. |
| CheckpointFWRule.Hits.Level | string | The level of hits. |
| CheckpointFWRule.Hits.Percentage | string | The percentage of hits. |
| CheckpointFWRule.Hits.Value | string | The value of hits. |
6. Use the Check Point Management API
Enables you to use the Check Point Management API. When using this command, the required format is: ‘command’=.
This command requires management server R80 or later.
Base Command
checkpoint
Input
There are no inputs for this command.
Context Output
There is no context output for this command.
7. Delete a rule
Deletes a rule from Check Point Firewall.
Base Command
checkpoint-delete-rule
Input
| Argument Name | Description | Required |
|---|---|---|
| uid | The UID of the rule. | Optional |
| name | The name of the rule. | Optional |
| layer | The layer, for example: Network | Required |
Context Output
There is no context output for this command.
Troubleshooting
If you receive the following 400 Bad Request error when running the checkpoint-block-ip command, you need to disconnect (clear) all other sessions in the SmartConsole, even if they appear to be disconnected. In SmartConsole, navigate to Manage & Settings > Sessions > View Sessions .
400 Bad Request - Runtime error: An object is locked by another session