Check Point Firewall
This pack includes Cortex XSIAM content.
Check Point Firewall
- Details
- Content
- Dependencies
- Version History
Manage Check Point firewall via API
Check Point Firewall
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure Check Point to forward Syslog messages in CEF format.
Go to Checkpoint Log Export, and follow the instructions under Basic Deployment to set up the connection using the following guidelines:
- If you use version R77.30 or R80.10, follow the instructions to install a Log Exporter.
- Set the Syslog port to 514 or your agent port.
- Replace the name and <target-server IP address\> in the CLI with the broker VM name and IP address.
Set the format to CEF.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Right-click, and select Syslog Collector > Configure.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - Auto-Detect
- product as product - Auto-Detect
Automations
| Name | Description |
|---|---|
| CheckpointFWCreateBackup | Deprecated. Use ssh command instead. Connect to a Check Point firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built-in Check Point CLI. For more information, consult the CheckPoint documentation. |
| CheckPointDownloadBackup | Deprecated. Use ssh command instead. Downloads the Check Point policy backup to the Cortex XSOAR War Room. |
| CheckpointFWBackupStatus | Deprecated. Use ssh command instead. Connect to a CheckPoint firewall appliance using SSH and retrieve the status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built-in CheckPoint CLI. For more information, consult the CheckPoint documentation. |
Integrations
| Name | Description |
|---|---|
| CheckPoint Firewall v2 | Use this integration to read information and send commands to the Check Point Firewall server. |
| Check Point Firewall (Deprecated) | Deprecated. Use the Check Point Firewall v2 integration instead. Manage Check Point firewall via API |
Playbooks
| Name | Description |
|---|---|
| Checkpoint - Block IP - Custom Block Rule | This playbook blocks IP addresses using Custom Block Rules in Check Point Firewall. |
| Checkpoint - Publish&Install configuration | Publish the Check Point Firewall configuration and install policy on all available gateways. |
| Checkpoint - Block URL | This playbook blocks URLs using Check Point Firewall through Custom URL Categories. |
| Checkpoint - Block IP - Append Group | The playbook receives malicious IP addresses as inputs, checks if the object group exists (if not, the object group is created), and appends the related IPs to that object. If you have not assigned the appended group to a rule in your firewall policy, you can use |
Automations
| Name | Description |
|---|---|
| CheckPointDownloadBackup | Deprecated. Use ssh command instead. Downloads the Check Point policy backup to the Cortex War Room. |
| CheckpointFWBackupStatus | Deprecated. Use ssh command instead. Connect to a CheckPoint firewall appliance using SSH and retrieve the status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built-in CheckPoint CLI. For more information, consult the CheckPoint documentation. |
| CheckpointFWCreateBackup | Deprecated. Use ssh command instead. Connect to a Check Point firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built-in Check Point CLI. For more information, consult the CheckPoint documentation. |
Integrations
| Name | Description |
|---|---|
| Check Point Firewall (Deprecated) | Deprecated. Use the Check Point Firewall v2 integration instead. Manage Check Point firewall via API |
| CheckPoint Firewall v2 | Use this integration to read information and send commands to the Check Point Firewall server. |
Modeling Rules
| Name | Description |
|---|---|
CheckPoint Firewall Collection |
Playbooks
| Name | Description |
|---|---|
| Checkpoint - Block IP - Append Group | The playbook receives malicious IP addresses as inputs, checks if the object group exists (if not, the object group is created), and appends the related IPs to that object. If you have not assigned the appended group to a rule in your firewall policy, you can use |
| Checkpoint - Block URL | This playbook blocks URLs using Check Point Firewall through Custom URL Categories. |
| Checkpoint - Block IP - Custom Block Rule | This playbook blocks IP addresses using Custom Block Rules in Check Point Firewall. |
| Checkpoint - Publish&Install configuration | Publish the Check Point Firewall configuration and install policy on all available gateways. |
Required Content Packs (4)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Playbooks | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Remote Access | By: Cortex XSOAR |
Optional Content Packs (0)
| Pack Name | Pack By |
|---|
All level dependencies (8)
| Pack Name | Pack By |
|---|---|
| Common Playbooks | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
| Remote Access | By: Cortex XSOAR |
| Rasterize | By: Cortex XSOAR |
| Aggregated Scripts | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Filters And Transformers | By: Cortex XSOAR |
2.4.0 - 10224262 (June 16, 2026)
- 44054
Download
Integrations
CheckPoint Firewall v2
- Added support for the following commands:
- checkpoint-access-section-delete, that deletes the specified access section.
- checkpoint-access-section-get, that shows an existing access section using object name or UID.
- checkpoint-access-section-add, that adds a new access section.
- checkpoint-service-group-add, that adds a new service group object.
- checkpoint-service-group-get, that shows an existing service group object using object name or UID.
- checkpoint-service-group-update, that updates the specified service group object.
- checkpoint-service-group-list, that gets a list of all service group objects.
- checkpoint-service-group-delete, that deletes the specified service group object.
- checkpoint-access-section-update, that updates the specified access section.
- checkpoint-service-group-clone, that clones an existing service group object.
- checkpoint-nat-rule-update, that updates an existing NAT rule.
- checkpoint-network-add, that creates a new network object.
- checkpoint-icmp-service-update, that updates an existing icmp service object.
- checkpoint-udp-service-update, that updates an existing udp service object.
- checkpoint-network-update, that updates an existing network object.
- checkpoint-nat-rule-get, that gets full data for the specified nat rule.
- checkpoint-tcp-service-add, that creates a new tcp service object.
- checkpoint-icmp-service-add, that creates a new icmp service object.
- checkpoint-nat-rule-list, that retrieves a list of nat rules from the rule base.
- checkpoint-service-delete, that deletes a service object.
- checkpoint-network-list, that retrieves a list of network objects.
- checkpoint-service-get, that gets full data for the specified service object.
- checkpoint-service-list, that retrieves a list of service objects. When an identifier is provided, returns a single service object.
- checkpoint-tcp-service-update, that updates an existing tcp service object.
- checkpoint-nat-rule-delete, that deletes a nat rule.
- checkpoint-udp-service-add, that creates a new udp service object.
- checkpoint-network-delete, that deletes a network object.
- checkpoint-nat-rule-add, that adds a new nat rule.
- checkpoint-network-get, that gets full data for the specified network object.
- Added support for the profile_action, color, and tags arguments in the checkpoint-threat-indicator-update command.
- Added support for the domain_names, filter, and details_level arguments in the checkpoint-threat-indicator-list command.
- Added support for the color, comments, and tags arguments in the checkpoint-application-site-update command.
- Added support for the details_level argument in the checkpoint-host-get command.
- Added support for the nat_auto_rule, nat_ip, nat_hide_behind, nat_install_on, nat_method, comments, color, and tags arguments in the checkpoint-address-range-add command.
- Added support for the color, details_level, and tags arguments in the checkpoint-group-update command.
- Added support for the details_level and domains_to_process arguments in the checkpoint-host-list command.
- Added support for the details_level and show_hits arguments in the checkpoint-access-rule-list command.
- Added support for the interfaces_mask_length, nat_auto_rule, nat_ip, nat_hide_behind, interfaces_name, nat_install_on, color, tags, interfaces_subnet, and nat_method arguments in the checkpoint-host-update command.
- Added support for the interfaces_mask_length, nat_auto_rule, nat_ip, nat_hide_behind, interfaces_name, nat_install_on, comments, color, tags, interfaces_subnet, and nat_method arguments in the checkpoint-host-add command.
- Added support for the action, comments, color, tags, ignore_warnings, and profile_action arguments in the checkpoint-threat-indicator-add command.
- Added support for the details_level argument in the checkpoint-group-get command.
- Added support for the nat_ip, nat_hide_behind, nat_install_on, color, tags, and nat_method arguments in the checkpoint-address-range-update command.
- Added support for the members, comments, color, ignore_errors, tags, and ignore_warnings arguments in the checkpoint-group-add command.
- Added support for the track_per_session, install_on, enabled, comments, track_type, and track_accounting arguments in the checkpoint-access-rule-add command.
- Added support for the color, description, comments, and tags arguments in the checkpoint-application-site-add command.
- Added support for the source_remove, track_per_session, install_on, comments, destination_remove, track_type, destination_add, track_accounting, service_remove, service_add, and source_add arguments in the checkpoint-access-rule-update command.
- Added support for the details_level and domains_to_process arguments in the checkpoint-application-site-list command.
- Added support for the details_level and domains_to_process arguments in the checkpoint-address-range-list command.
- Added support for the filter, domains_to_process, and details_level arguments in the checkpoint-group-list command.
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
- 44054
Download
2.4.0 - 10224262 (June 16, 2026)
- 44054
Download
Integrations
CheckPoint Firewall v2
- Added support for the following commands:
- checkpoint-access-section-delete, that deletes the specified access section.
- checkpoint-access-section-get, that shows an existing access section using object name or UID.
- checkpoint-access-section-add, that adds a new access section.
- checkpoint-service-group-add, that adds a new service group object.
- checkpoint-service-group-get, that shows an existing service group object using object name or UID.
- checkpoint-service-group-update, that updates the specified service group object.
- checkpoint-service-group-list, that gets a list of all service group objects.
- checkpoint-service-group-delete, that deletes the specified service group object.
- checkpoint-access-section-update, that updates the specified access section.
- checkpoint-service-group-clone, that clones an existing service group object.
- checkpoint-nat-rule-update, that updates an existing NAT rule.
- checkpoint-network-add, that creates a new network object.
- checkpoint-icmp-service-update, that updates an existing icmp service object.
- checkpoint-udp-service-update, that updates an existing udp service object.
- checkpoint-network-update, that updates an existing network object.
- checkpoint-nat-rule-get, that gets full data for the specified nat rule.
- checkpoint-tcp-service-add, that creates a new tcp service object.
- checkpoint-icmp-service-add, that creates a new icmp service object.
- checkpoint-nat-rule-list, that retrieves a list of nat rules from the rule base.
- checkpoint-service-delete, that deletes a service object.
- checkpoint-network-list, that retrieves a list of network objects.
- checkpoint-service-get, that gets full data for the specified service object.
- checkpoint-service-list, that retrieves a list of service objects. When an identifier is provided, returns a single service object.
- checkpoint-tcp-service-update, that updates an existing tcp service object.
- checkpoint-nat-rule-delete, that deletes a nat rule.
- checkpoint-udp-service-add, that creates a new udp service object.
- checkpoint-network-delete, that deletes a network object.
- checkpoint-nat-rule-add, that adds a new nat rule.
- checkpoint-network-get, that gets full data for the specified network object.
- Added support for the profile_action, color, and tags arguments in the checkpoint-threat-indicator-update command.
- Added support for the domain_names, filter, and details_level arguments in the checkpoint-threat-indicator-list command.
- Added support for the color, comments, and tags arguments in the checkpoint-application-site-update command.
- Added support for the details_level argument in the checkpoint-host-get command.
- Added support for the nat_auto_rule, nat_ip, nat_hide_behind, nat_install_on, nat_method, comments, color, and tags arguments in the checkpoint-address-range-add command.
- Added support for the color, details_level, and tags arguments in the checkpoint-group-update command.
- Added support for the details_level and domains_to_process arguments in the checkpoint-host-list command.
- Added support for the details_level and show_hits arguments in the checkpoint-access-rule-list command.
- Added support for the interfaces_mask_length, nat_auto_rule, nat_ip, nat_hide_behind, interfaces_name, nat_install_on, color, tags, interfaces_subnet, and nat_method arguments in the checkpoint-host-update command.
- Added support for the interfaces_mask_length, nat_auto_rule, nat_ip, nat_hide_behind, interfaces_name, nat_install_on, comments, color, tags, interfaces_subnet, and nat_method arguments in the checkpoint-host-add command.
- Added support for the action, comments, color, tags, ignore_warnings, and profile_action arguments in the checkpoint-threat-indicator-add command.
- Added support for the details_level argument in the checkpoint-group-get command.
- Added support for the nat_ip, nat_hide_behind, nat_install_on, color, tags, and nat_method arguments in the checkpoint-address-range-update command.
- Added support for the members, comments, color, ignore_errors, tags, and ignore_warnings arguments in the checkpoint-group-add command.
- Added support for the track_per_session, install_on, enabled, comments, track_type, and track_accounting arguments in the checkpoint-access-rule-add command.
- Added support for the color, description, comments, and tags arguments in the checkpoint-application-site-add command.
- Added support for the source_remove, track_per_session, install_on, comments, destination_remove, track_type, destination_add, track_accounting, service_remove, service_add, and source_add arguments in the checkpoint-access-rule-update command.
- Added support for the details_level and domains_to_process arguments in the checkpoint-application-site-list command.
- Added support for the details_level and domains_to_process arguments in the checkpoint-address-range-list command.
- Added support for the filter, domains_to_process, and details_level arguments in the checkpoint-group-list command.
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
- 44054
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | September 23, 2020 | |
| Last Release | June 16, 2026 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
