Hi,

have done this for a customer years ago and used it as an example in my lectures for training. Warning: after successful testing we deactivated it cause of too many false actions. The blocking addresses were based on an IPS device. Here is what you have to do: define a custom action for your shunning script talking to your firewall. Checkpoint does provide a special CLI language for that purpose called sam. Select that scrpt in your rule dealing with your top offenses. Check the screenshots enclosed for details. Unfortunately I cant share the py script but basically just follow the sk97306.

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]

Original Message:
Sent: Thu December 05, 2019 05:51 AM
From: s 3k
Subject: custom action script block a traffic on firewall

thanks Chinmay
Any others experienced in implementing a solution..i look for hints on how it was orchestrated. i would like to know whether qradar (and how) qradar passes source ip| dest IP and invoke firewall API if at all its possible.


------------------------------
s 3k

Original Message:
Sent: Thu December 05, 2019 03:22 AM
From: Chinmay Kulkarni
Subject: custom action script block a traffic on firewall

Hi @s 3k,

I have not done it in my environment yet but it should be possible. QRadar can pass source IP and dest IP in the API calls.
​​

------------------------------
Chinmay Kulkarni

Original Message:
Sent: Wed December 04, 2019 05:42 AM
From: s 3k
Subject: custom action script block a traffic on firewall

would like to know if anyone has done similar. I want qradar to connect to firewall over API and tell firewall to drop that traffic.

we use Cisco firepower management center (FMC) which supports API access to firewall. can qradar custom action call in API pass the destination IP value to firewall and drop traffic.

------------------------------
s 3k
------------------------------