Allows SIEM send a command to firewall to block attacker address in case of deteced attack based on third party logs or correlated events.

Transform your SIEM to single point of attack detection and response.

If some device (IDS\IPS\WAF…), connected to SIEM, detects an attack from IP address or C&C communication, you can create ArcSight rule to provide automatic reaction: block Attacker IP as source and destination of IPv4 traffic. Automatic Remediation tool will receive IP address for block from SIEM, and send command to Firewall.

CAUTION: developer supports only own scripts. For technical support case with SIEM or Firewall you should consult with relevant vendor. In case of support or suggestions, please, contact

Minimum Requirements

  • IPv4 traffic supported.

  • ArcSight ESM\Express with Rule Action "Execute Command" capability. (see ArcSight Console User Guide for more details).

  • Inline CheckPoint Security Gateway or High Availability Cluster with working Suspicious Activity Monitoring (see sk112061 on CheckPoint support center).

  • UNIX server. Tested on: CentOS 7.0 Ubuntu 18.04.4 Rhel 7.1

  • Bash version 4.2 on UNIX server.

  • Expect version 5.45 on UNIX server.

  • ArcSight CEF File Reader Smart Connector on UNIX server.


Automatic IP Remediation tool for CheckPoint Firewall 1.0
357.2 KB
May 3, 2020
More info Less info
Product compatibility
Version 6.11
Version 7.0 · 7.2
Release notes

Scripts to perform block of attacker IP address on CheckPoint Firewall, using ArcSight ESM\Express and ArcSight CEF File Reader Smart Connector.


Similar items

Similar apps are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the Marketplace Terms of Service and Micro Focus Terms of Service
Since you are downloading an app from the Micro Focus unified Marketplace using an Access Manager account, you need to also accept the Micro Focus Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service and the Micro Focus Terms of Service" box below and click accept to continue your download.

Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2020-11-1-3429 | Wed Nov 11 03:39:48 PST 2020