Professional Documents
Culture Documents
Phantom Integration With Check Point R80
Phantom Integration With Check Point R80
10
Author: Richard Devera
Reviewer: Calvin Joy;
Version: 0.9
Version Date:
Purpose: Demonstrate the API integration between Phantom and Check Point R80.10. This
document does not cover all the automation features of Phantom (ie Playbooks).
Prerequisite:
1. R80.10 SmartCenter VM installed (Configured to allow API on all interfaces)
a. IP: 10.1.1.101
b. username/password: root/vpn123
2. R80.10 Gateway
a. Internal IP: 10.1.1.254
b. External IP: NAT or Bridge IP
c. username/password: root/vpn123
3. Routable to the internet with DNS enabled
4. Download Phantom Playbook samples from this URL
https://github.com/rickdevera/phantom-checkpoint
Steps
1. Download Splunk Phantom and import Phantom OVA on VMware Workstation
2. After import, attach Phantom VM network adapter to the same network as the Smart
Center.
3. Startup Phantom and login into the console
a. Enter a new Password - ‘vpn123’
b. Phantom Configuration
ix. To simplify installation and learn about phantom, Click on Get Started,
otherwise, Exit Tour. The Getting Started wizard can be restarted again.
Using the Check Point R80 API, the playbook queries for the policy name and layer name,
populates the containment action, block ip, with the information and executes a policy change
on the SmartCenter. The SmartCenter, builds the objects, policies, and installs the policy
automatically.
xiv. Click on the CONFIGURE PHANTOM button
xv. This will take you to the “Getting setup with Phantom” wizard.
1. Enter the Company Name (ie Check Point) and click on SAVE and
CONTINUE.
xvi. Configure Data Source
xxv. Get the name of the Check Point Policy and Policy Layer This can be
done two ways,
1. Open the SmartConsole and
xxvi. .
c. Startup the SmartConsole
4.
a. Verify the policy.
m. After selection goto the Smart Console and verify the policy and object updates.