Quarantine compromised Endpoint Security device (enforced by Firewall)
This topic describes settings and behavior for quarantining compromised Endpoint Security devices enforced by a Check Point Firewall. It includes supported products, parameters, trigger details, and flow information.
The automation blocks outgoing traffic from compromised devices (for example, ransomware), detected by Endpoint Security, to prevent lateral movement and communication with C&C (Command and Control).
Supported Product
- Check PointSecurity Management Server)
-
Endpoint Security
Parameters
|
IP quarantine duration (if admin's approval is required) |
Set the expiration period for the automation. This applies only if you have selected the Admin's approval is required for quarantining device IP checkbox. After the expiration, Playblocks sends the notification for the Administrator's approval. |
|
IP quarantine duration (automatic prevention) |
Set the expiration period for the automations that are executed automatically (without the Administrator's approval). The default duration is 1 day. |
|
Admin's approval is required for quarantining device IP |
Select the checkbox if you want Administrator's approval to execute the automation. Check Point recommends that you leave Admin's approval is required for quarantining device IP checkbox unselected. |
|
Open ticket if device IP was quarantined |
Select the checkbox if you want to open a ticket when device IP was quarantined. |
Trigger
Matching quarantine IP of compromised device identified by Endpoint.
To view the example of this log, click Run.
Flow