- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
1)Purpose:
Utilize SmartEvent's Automatic Reaction feature to automatically execute a response script when specific attack events (such as Nikto scans) are detected, enhancing automation and real-time threat response.
2)Use Case:
A.Security administrators want to automatically block source IPs upon detecting intrusion behaviors like Nikto Security Scanner scans.
B.Integrates SmartEvent’s event detection with custom scripts to enable fast and automated response without manual intervention.
C.Ideal for test or production environments requiring immediate mitigation of known attack patterns, along with response logging.
3)Requirements:
SmartEvent Server and SmartEvent Correlation Unit must be deployed and enabled.
The relevant attack event (e.g., Nikto scan) must be identifiable in the logs and captured by the Correlation Unit.
An Automatic Reaction rule must be configured and linked to a script (the script should be placed in $RTDIR/bin/ext_commands/ on the SmartEvent Server and granted executable permissions).
Will test it in the lab. Does it create a feed with bad IP addresses?
Andy
Yes, it is recommended to create a drop policy in advance, using a predefined address group as the source. This group will be used to store IP addresses from the malicious IP feed.
I assume its run on mgmt server?
Andy
Will try in the morning...cheers. Thank you!
Andy
Just ran it in my R82 mgmt lab and when I invoke the script, it never finishes, not sure why. I followed exact steps you outlined.
Andy
Here are a few things you can check:
1. you can run cat /home/admin/ext_script.txt on the management server to view the full execution log of the script and identify where it might be hanging.
2. If there's no log output at all,please double-check that User Defined Event Policy is properly configured and deployed.The event may not be triggering the Automatic Reaction as expected.
3. Also,verify that the IPS logs are indeed being generated and that the "attack information" field contains the keyword "xxx(Nikto Security Scanner)",as this is required for the script trigger condition.
I get below.
Andy
[Expert@CP-MANAGEMENT:0]# cat /home/admin/ext_script.txt
2025-07-24 08:08:11 - ===== 新事件触发 =====
[Expert@CP-MANAGEMENT:0]#
Hi @xp , please add some description: use case, purpose, requirements, etc
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY