This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
The videos played during this session are available separately below the Q&A.
Is Horizon Playblocks a SOAR?
Playblocks is not a SOAR system, it’s much more simple to onboard and to operate, and it’s designed to work with Check Point products much better, simpler and faster than any other SOAR systems who works with Check Point products. It’s important to emphasize that any SOAR system can integrate with Playblocks and run automations, for example to block IPs, to isolate Endpoints etc.
Our current focus with Playblocks is on out of the box response flows. In the coming months, we expect to allow for custom response flows. At first, we plan to provide the option to configure a custom filter of logs to trigger notifications. Later on, we expect to allow more levels of customization, including the ability to design custom flows from scratch.
How can I demo this to clients?
If you have access to Demopoint, we have a demo available there to show. Customers can reach out to their local Check Point office for a demo.
Do you know when you will have the Microsoft Defender connector available? Can you explain how the MS Defender connector will be used? Will it allow the gateway to isolate an endpoint?
Currently expected at the end of 2023. We expect it to perform operations such as isolate, kill process, delete file, and more - either on demand or as part of automated remediation response.
Will this be integrated with CNAPP for responses?
Yes, this is part of the roadmap.
Will this eventually replace responses I can configure with SmartEvent?
These are complimentary products.
SmartEvent works with your on-premise management for Gateways and Endpoint. It leverages SAM rules for automated responses, which is more complex and has many limitations. It also leverages
Playblocks operates in Infinity Portal, which can be connected to your on-premise management in R81.10 (with JHF). Blocking on Quantum Secutity Gateways is handled through a regular Access Policy that includes specific Data Center objects that continuously update without a policy installation required once set up. Playblocks is required for automated responses when using Smart-1 Cloud.
We use Cisco Webex App for internal instant message. Is this on the roadmap to include for communications?
Playblocks can easly integrate with any product, we are planning to collaborate with more communications platforms.
Can we use playblocks on our Multi-domain environment.. I mean consolidating all CMA on single Infinity playblocks tenant?
Once it will be supported to connect all CMAs to one account (in Infinity Services), Playblocks will support that too. At current, you have to attach each CMA/Domain to a different Infinity Portal tenant.
Did you face scenarios where Horizon Playblocks block legitimate traffic due to false positive alerts?
Horizon Playblocks actions are triggered off log events by the relevant Software Blades, which are ultimately responsible for detecting the relevant events. The amount of false positives will depend on your Threat Prevention configuration, which with our default profiles, should be low. In Playblocks, we take the additional step of enriching the IP(s) with data from ThreatCloud and confirming the IP is malicious per ThreatCloud.
Is it possible to have the enforcements shared between customers - an IPS attack is seen and the source IP is then blocked on a customers gateways. can this source IP be added to the block list on a different customers gateways given its been identified as malicious?
By design, we block on the tenant level. For shared IOCs, it may be worthwhile to look at Horizon NDR which can be used to share IoCs among many customers.
If we enable this automation, how much it is resource intensive and how the false positive % for the detection ?
If the Management is running on-prem, we query it periodically to look for events. Although we do it with relatively high frequency (to react in "real time" as much as possible), the overhead/impact is negligible since the queries are very thin and focus on short time. Regarding false positive -> we have many customers who use it for months and we haven't witnessed false positives. Keep in mind we always enrich the IP before we block it, to check if it's malicious according to ThreatCloud
If we have a Maestro gateway with the licensing tier that provides all currently available blades, is Playblocks included or still an extra?
It's offered as a new blade that needs to be purchased. SKU and all its details are available on the product catalog
For blocking attaching by IPS wth high confidence, do you need your the IPS signature for that type of IPS event to be set to prevent or detect?
As long as you have IPS enabled on your gateways and we will find log that match the attacks we looking for, the automation will be triggered.
Is there any chance to run automation only one or named GWs? Now it looks you cannot choose where to run it.
We read the events from all Gateways, but the enforcement can be selective -> In Quantum Enforcement you can choose if you want to enforce Playblocks on all Gateways or only some.
Is it possible to define different connectors for different playbooks in future?
You can already control who will get the notifications and in what platform (email, SMS , teams, slack ) and you can define it differently for each automation.
How would you envision Playblocks functionality for Harmony Endpoint workstations that are not working on-Prem?
We already have many flows related to operations of Harmony Endpoint such as Isolate, de-isolate etc. However, we are not updating the Firewall on the Harmony Endpoint clients as we do with Quantum Security Gateways.
