Working with block lists

Watch

Save as PDF

Share this page

Feedback

Security Operations

HomeXanadu Security ManagementSecurity OperationsEnterprise security case management applicationsSecurity Incident ResponseSecurity Incident Response integrationsCheck Point Next Generation Threat Prevention integrationWorking with block lists

Table of Contents

Working with block lists

Release version:
Xanadu
Yokohama
Washington DC
Vancouver
UpdatedAug 1, 2024
2 minutes to read

Xanadu
Security Incident Response integrations

The ServiceNow Check Point Next Generation Threat Prevention Integration supports Block Lists that accept IP, URL, and Domain observables.

ServiceNow configured block list is a csv file that is hosted on an external web server, which for this integration is the ServiceNow AI Platform instance. Custom Intelligence Feed is configured on the Check Point Gateway, which pulls the IP addresses, URLs, and domains from the ServiceNow AI Platform at pre-configured interval.

This integration supports three types of Block Lists:

IP Address (This includes an individual IP Address (IPv4 only) for block list, and CIDR blocks (ranges) of addresses for allow list).
URL
Domain

Observables supported by the Check Point NGTP integration

The section lists descriptions of the observables supported by this integration and example formats for each type.


Observable Type	Examples	Description
Domain	example.com mail.example.com	Wildcards are not supported.
IP Address	95.153.103.54 (IPv4)	Represents a single, distinct interface address. The integration supports only IPv4 and CIDR formats (CIDR format is only supported for allow listing purpose). For allow list purpose, integration has support for IP address observables includes CIDR (Classless Inter-Domain Routing) ranges, for example, 95.153.100.0/22. Note: An error message is displayed when you try to attach a single IP address to a Block List that you have already allowed listed as a part of a CIDR range. For example, the single address 95.153.103.54 is part of the CIDR range represented by 95.153.100.0/22 (95.153.100.0-95.153.103.255).
URL	https://www.example.com http://www.example.com	Description - The HTTPS URL are formatted by the application to trim the path from the URL and retain the domain name only. Check Point NGTP relies on HTTP CONNECT request to evaluate the web traffic and enforce blocking. For HTTPS CONNECT request, the entire URL isn’t visible in the request and only domain name is visible. When a user blocks any HTTPS URL with specific path (example; https://www.example.com/path), the application trims the path automatically (www.example.com). The application maintains the relationship between original observable and the formatted URL. Below is the screenshot of Block List Entry which shows the formatted URL and the original observable.

Block list entry

For HTTP URLs with a specific path (for example, http://www.example.com/path), Check Point would block the specified URL as the entire URL is visible in CONNECT request.

Block list entries for HTTP URLs

Xanadu Security Management

Filters

Versions

Products