Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mark_Wheeler
Participant

Block Intruder via API call possible?

Hi all

Our company is curently in the process of implementing a SOAR solution in order to automate our SOC.

We are looking for a way to block a certain connection automatically from our SOAR with an API call if necessary. I rember the feature "block intruder" and wanted to ask if this feature is available through the API in order to use it with a API call?

If this is not possible, what would be the recommended way in order to block all connections from a certain IP immediately without having to log on to Smart Console?

We are also using Tufin but only the SecureChange module as to my knowledge.

Regards and thanks in advance.

Mark

0 Kudos
3 Replies
the_rock
Champion
Champion

Maybe others can chime in, but could below be something you are looking for?

https://community.checkpoint.com/t5/API-CLI-Discussion/Block-ip-address-using-api-rest/td-p/116382

Andy

0 Kudos
PhoneBoy
Admin
Admin

There is a CLI command called fw samp that can be invoked on the gateways that will immediately block all connections from a specific IP.
You could potentially call this via the API (either the gaia-api directly to the gateway or indirectly through the management API).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/gaia-api~v1.8%20 

0 Kudos
Nir_Naaman
Employee
Employee

If you're looking for a solution that's orthogonal to SmartConsole/Management Server, the Infinity NDR Intel platform might be what you're looking for. Check out the Intel user guide at https://community.checkpoint.com/t5/CloudGuard-NDR/Infinity-NDR-Intel-User-Guide/m-p/131434. There's an API to go with it that we haven't widely published yet but is being used by customers and some Infinity Portal applications.

Gateways pull the indicators from NDR Intel via sk132193 Custom Intelligence Feeds. This does not require management server participation nor policy push.

Advantages

  • A single indicators database that supports multiple indicator types (IPv4, IPv6, IP ranges, URLs, domains, file hashes, mail fields, Snort rules, etc.)
  • Web-based user interface that allows viewing/searching/bulk-editing indicators
  • Automated input feeds with support for multiple feed formats and protocols
  • Support for multiple output data sets for different scenarios (e.g. different Check Point gateway versions)
  • IPs are blocked by SecureXL for scalable, high performance threat prevention

Disadvantages

  • Inbound blocking by source IP is only supported from gateway version R81
  • IPv6 only supported from gateway version R81
  • Application is not "immediate" but depends on the ioc_feeds poll frequency (minimum 30 seconds)
  • Available only to customers with an Infinity NDR/SOC license
0 Kudos