topic Re: Block Intruder via API call possible? in API / CLI Discussion

Block Intruder via API call possible?

Mark_Wheeler — Tue, 04 Jan 2022 20:14:09 GMT

Hi all

Our company is curently in the process of implementing a SOAR solution in order to automate our SOC.

We are looking for a way to block a certain connection automatically from our SOAR with an API call if necessary. I rember the feature "block intruder" and wanted to ask if this feature is available through the API in order to use it with a API call?

If this is not possible, what would be the recommended way in order to block all connections from a certain IP immediately without having to log on to Smart Console?

We are also using Tufin but only the SecureChange module as to my knowledge.

Regards and thanks in advance.

Mark

Re: Block Intruder via API call possible?

the_rock — Tue, 04 Jan 2022 21:58:31 GMT

Maybe others can chime in, but could below be something you are looking for?

https://community.checkpoint.com/t5/API-CLI-Discussion/Block-ip-address-using-api-rest/td-p/116382

Andy

Re: Block Intruder via API call possible?

PhoneBoy — Wed, 05 Jan 2022 00:21:42 GMT

There is a CLI command called fw samp that can be invoked on the gateways that will immediately block all connections from a specific IP.
You could potentially call this via the API (either the gaia-api directly to the gateway or indirectly through the management API).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk112454
And: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/gaia-api~v1.8%20

Re: Block Intruder via API call possible?

Nir_Naaman — Mon, 10 Jan 2022 15:23:46 GMT

If you're looking for a solution that's orthogonal to SmartConsole/Management Server, the Infinity NDR Intel platform might be what you're looking for. Check out the Intel user guide at https://community.checkpoint.com/t5/CloudGuard-NDR/Infinity-NDR-Intel-User-Guide/m-p/131434. There's an API to go with it that we haven't widely published yet but is being used by customers and some Infinity Portal applications.

Gateways pull the indicators from NDR Intel via sk132193 Custom Intelligence Feeds. This does not require management server participation nor policy push.

Advantages

A single indicators database that supports multiple indicator types (IPv4, IPv6, IP ranges, URLs, domains, file hashes, mail fields, Snort rules, etc.)
Web-based user interface that allows viewing/searching/bulk-editing indicators
Automated input feeds with support for multiple feed formats and protocols
Support for multiple output data sets for different scenarios (e.g. different Check Point gateway versions)
IPs are blocked by SecureXL for scalable, high performance threat prevention

Disadvantages

Inbound blocking by source IP is only supported from gateway version R81
IPv6 only supported from gateway version R81
Application is not "immediate" but depends on the ioc_feeds poll frequency (minimum 30 seconds)
Available only to customers with an Infinity NDR/SOC license