Lieutenant
Lieutenant
273 views

Prevent IP activity by SIEM ArcSight command on CheckPoint Firewall

Hi All,

I made an utility to integrate SIEM ArcSight with CheckPoint Firewall to provide fast block of malicious activity.

Automatic Remediation Tool allows SIEM ArcSight execute command on CheckPoint Firewall to block attacker IP address in case of detected attack, based on SIEM logs or correlated events .

If some device (IDS\IPS\WAF…), connected to SIEM, detects an attack from IP address or C&C communication, you can create ArcSight rule to provide automatic reaction: block Attacker IP as source and destination of IPv4 traffic on your CheckPoint Firewall.

NewDiagram.jpg

Automatic Remediation Tool will receive IP address from SIEM, and send command to Firewall using CheckPoint SAM Rules (sk112061). 

Utility should be placed on separate server from ESM and CheckPoint Security Management Server. It connects to CheckPoint SMS using SSH and use CEF File SmartConnector to communicate with ESM.

Utility includes easy configuration script and logging in Common Event Format.

You can find more information on Micro Focus ArcSight Marketplace or contact with me on Community or privately **PERSONAL INFORMATION REMOVED**

You can also watch demonstration video.

Hope you will enjoy it.

Labels (1)
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.