×
Check Point

Overview

Security Flow Checkpoint Plugin provides the ability to automate Check Point network analysis and firewall management.

Functionality

This plugin supports operations, which allow one to:

  • Add a domain to a block list
  • Remove a domain from a block list
  • Send broadcast block/unblock domain events to any plugin configured to listen for the broadcast

Instance Configuration Parameters

Property
Description

Instance Name

Name for Check Point instance.


Unique ID

Unique name for the Check Point Instance.


Server

IP or hostname where Check Point is running.


User Name

Valid user name for the Check Point server.


Password

Valid password for the user name on the Check Point server.


Password Confirmation

Confirm valid password for the user name on the Check Point server.


Broadcast Settings

Listen for Unblock Broadcast Events

Enabled by default. Broadcasts a DXL event to unblock the domain.


Listen for Block Broadcast Events

Enabled by default. Broadcasts a DXL event to block the domain.

Flow Nodes

The DXL Check Point node is a helper node which appends DXL topic and DXL message information into the received message. The node properties are in the following table.
Property
Description

Name

The display name of the node within the flows.


Unique ID

ID name for the specific Checkpoint Instance. This ID is part of the DXL service name. “/nevelexlabs/service/checkpoint/[unique_id]”


Action

This field provides the ability to:

  • Add Block – add a domain to the block list,
  • Delete Block – remove a domain from the block list.

Source Domain

Specifies the domain to be blocked or unblocked. The domain can be either the domain name (nevelex.com), an IP address (10.10.10.1) or an IP address range (10.1.2.3-10.4.5.6).This field defines the location from the message, flow, global, or JavaScript expression to use as the data source for the list operation. Additionally, the node context can also be changed. The following contexts are supported:

  • msg. – This selects part of the incoming message as the source of the data. This is typical choice.
  • flow. – This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global. – This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression – JSONata expression language to perform query and transform operations on the payload.

Options

Checkbox to include subdomains in the block/unblock.

The NevLabs-Broadcast-Domain-Action node broadcasts a domain block/unblock event to all plugins configured to listen to them; currently block/unblock nodes can be sent to Infoblox, McAfee Web Gateway (MWG), and Checkpoint plugins. The node properties are in the following table.
Property
Description

Name

The display name of the node within the flows. This can be any name and is the name used to identify this node.


Action

Block or Unblock for blocking or unblocking the domain named below. Currently the Block/Unblock Broadcast nodes are sent to the following plugins when the plugins are configured to listen for them: InfoBlox, McAfee Web Gateway (MWG), and Checkpoint:

  • Block – Broadcasts a DXL event to block the domain configured by Domain
  • Unblock – Broadcasts a DXL event to unblock the domain configured by Domain

Domain

Specifies which domain is to be blocked or unblocked (applies to all plugins configured to listen).

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the checkpoint object.

Login Success

The italicized, green text is inserted into the message payload upon a successful request.

"payload": {
    "checkpoint": {
      "uid": "ea6b168b-87d8-4ab6-9a8c-89c422dbde88",
      "name": ".www.example.com",
      "type": "dns-domain",
      "domain": {
        "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
        "name": "SMC User",
        "domain-type": "domain"
      },
      "meta-info": {
        "lock": "unlocked",
        "validation-state": "ok",
        "last-modify-time": {
          "posix": 1478675596098,
          "iso-8601": "2016-11-09T09:13+0200"
        },
        "last-modifier": "aa",
        "creation-time": {
          "posix": 1478675596098,
          "iso-8601": "2016-11-09T09:13+0200"
        },
        "creator": "aa"
      },
      "tags": [],
      "read-only": true,
      "comments": "",
      "color": "black",
      "icon": "Objects/domain",
      "is-sub-domain": false
    }

}

Add Domain Success

The italicized, green text is inserted into the message payload upon a successful request. In this example the domain name to add is “www.example.com”:

"payload": {
    "checkpoint": {
        "uid": "session uid (used in add-access-rule and publish)",
        "name": "www.example.com",
        "type": "dns-domain",
         "domain": {
            "uid": "domainuid",
            "name": "domain user",
            "domain-type": "domain type"
        },
        "meta-info": {
            "lock": "unlocked or locked",
            "validation-state": "ok",
            "last-modify-time": {
               "posix" : "time in posix format",
               "iso-8601" : "time in iso format"
            },
            "last-modifier": "a uid",
            "creation-time": {
               "posix" : "time in posix format",
               "iso-8601" : "time in iso format"
            },
            "creator": "a uid"
        },
        "tags": [],
        "read-only": true or false,
        "comments": "",
        "color": "black",
        "icon": "Objects/domain",
        "is-sub-domain": true or false
    }
}

Delete Success

The italicized, green text is inserted into the message payload upon a successful request.

"payload": {
    "checkpoint":
        {
           "message" : "OK"
        }
}

Error

The italicized, maroon text is inserted into the message payload upon a failed request..

"payload": {
    "checkpoint": {
        "message": " run-time error (such as License Expired)"
        }
    }
}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA