topic Re: updatable objects with wildcard entries in Firewall and Security Management

updatable objects with wildcard entries

Markus_Kress — Thu, 20 Feb 2020 11:24:28 GMT

Hi,
we are using updatable objects in our o365 policy.
The updatable object "Office Worldwide Services" includes some Wildcard Domain entries, e.g. "*.msappproxy.net". We figured out, requests which should match these wildcards do not work.
Should they work? - We assume that the gateway does a dns lookup for every fqdn which is listed in the updatable object and cashs it. For wildcard entries it is not possible. Are we Right?
Can someone explain how the updatable object mechanism works? Or is there a good article in the knowledgebase?

Re: updatable objects with wildcard entries

G_W_Albrecht — Thu, 20 Feb 2020 12:24:22 GMT

sk131852: Updatable Objects in R80.20 and above

sk122636: How to troubleshoot Updatable Objects in R80.20 and higher

Re: updatable objects with wildcard entries

Jonathan — Thu, 30 Jul 2020 12:40:49 GMT

Same question here - I'm thinking about using updatable object for Zoom, but their list contains *.zoom.us.

I know that it is advised NOT to use non-FQDN Objects in Checkpoint R80.20 since every packet passing the firewall will be checked for reversed-dns lookup and can choke the firewall.

Would that also be the case with updatable objects when wildcard is present?

I couldn't find any answer to this in the links links G_W_Albrecht provided.

Thanks

Re: updatable objects with wildcard entries

G_W_Albrecht — Thu, 30 Jul 2020 13:54:00 GMT

sk163633: Updatable Objects for Zoom Services

sk135572: Microsoft Office 365 objects as Network Objects in R80.20 and above

Re: updatable objects with wildcard entries

Jonathan — Mon, 03 Aug 2020 05:25:43 GMT

Thanks for those links G_W_Albrecht, I've already read them but still don't have answer for my question -

Checkpoint says these updateable objects contains list of IP addresses and DOMAINS. I've checked Zoom's list and it contains *.zoom.us.

Will the gateway treat this the same as a non-FQDN object and try to reverse-lookup for it on every packet?

Re: updatable objects with wildcard entries

SSlater — Mon, 03 Aug 2020 08:03:05 GMT

Hi Markus_Kress,

I think you are looking for Domain Objects. These work like you mention, where the Gateway does a dns lookup for every FQDN, then caches it.

Updatable Objects work slightly differently, but on the same premise.

Some Services do not function with Domain objects, for various reasons, and we require the Updatable Objects.

These are a dynamic list of IP's that is provided as a service from Check Point. (No special licensing required)

We work with Vendors such as Zoom, Microsoft, and new vendors all the time.

They provide a list of IP's and Domains to us. -- We provide this to you, in the form of an Updatable Object.

We can see in sk163633 -- Updatable Objects for Zoom Services

"Zoom publishes a list of IP ranges and domains which are dynamically updated."

If more granular control is required, you will need to use Domain Objects, or reach out to your local SE, or TAC if this doesn't suit your needs.

Re: updatable objects with wildcard entries

Jonathan — Mon, 03 Aug 2020 09:17:10 GMT

Hi Stephen,

Thanks for reply, this is all very clear, but still you did not address both Markus_Kress and my issue.

Checkpoint recommends not to use Domain Objects in a Non-FQDN setting, which as I understand is kinda' the equivalent to a wildcard domain (*.zoom.us).

Updatable Objects also relay on list of domains which include wildcard.

We want to know how the gateway addresses these wildcards domain and can they also have negative impact on performance like Non-FQDN Domain Objects do?

Re: updatable objects with wildcard entries

G_W_Albrecht — Mon, 03 Aug 2020 09:30:22 GMT

This is not true - Updatable Objects are a dynamic list of IP's that is provided as a service from Check Point. So there are no wildcards and these are not Domain objects - it is always a list of IPs 8)

I do not understand why this is so unclear although sk131852, sk163633 and sk135572 does explain that in detail ?

Re: updatable objects with wildcard entries

Jonathan — Mon, 03 Aug 2020 09:54:27 GMT

Well, I quote this from the links you've sent:

"External services providers publish lists of IP addresses, or Domains, or both,"

"This Zoom Updatable Object matches a list of IP addresses and domains"

"Each Office 365 Updatable Object matches a list of IP addresses and Domains"

And if you follow the link from Checkpoint's Import dialog box, to Zoom's firewall setting webpage you can see even see that *.zoom.us is part of the list.

This was also the original question of Markus_Kress regarding Office365.

Re: updatable objects with wildcard entries

_Val_ — Mon, 03 Aug 2020 10:01:14 GMT

In this context, "domain" means FQDN. @G_W_Albrecht is correct, Updatable objects contain a list of IP addresses. If you experience any connectivity issue with updatable objects, please raise those issues with TAC

Re: updatable objects with wildcard entries

SSlater — Tue, 04 Aug 2020 00:32:19 GMT

Hi @Jonathan Thanks for your clarification. I had focused on "Can someone explain how the updatable object mechanism works?"

Updatable objects should not have a negative impact on performance like Non-FQDN Domain Objects. --- We should not consider them equivalents.

If you see degredation, or performance impact when using them, contact TAC.

Regardless of the content of the actual Updatable Object, Whether IP's or Domains; Fortunately for us, from the FW/Traffic perspective, this should not have any difference in behavior. --- If you see any issues that would constitute "Updatable Objects do not have consistent Matching behavior when used in Rulebase" -- A TAC case should be raised with a similar title.