thx for your question. Yes you can! This is one of our boot camp samples for shunning using custom action script for sam rules inside checkpoint.
The only problem is, that you need to login to your firewall 1st, which can only be done outside QRadar script container.
The workaround for this problem is to store ip addresses inside a reference list and read the updated list using a 2nd script with REST API and beeing scheduled once per minute from outside the script container in order to workaround jail.
Pls refer to PDF attached
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Sun January 23, 2022 09:12 PM
From: MAC starter
Subject: Incident response with Checkpoint
Hi
I have one system of Qradar receiving log from checkpoint but I need to do further more about incident response. After Qradar create offense, can we send to checkpoint for build policy to block traffic.
Example, Qradar see brute force traffic from IP 192.168.1.1 then create one offense. Qradar send this offense to Checkpoint to block any traffic from source IP 192.168.1.1. Is this require any 3rd party software? Is it possible to apply this case on existing system?
Thanks in advance
------------------------------
MACs
------------------------------