topic Re: Permissions to Outlook by VS in Firewall and Security Management

Permissions to Outlook by VS

Matlu — Sun, 01 Jun 2025 18:05:22 GMT

Hello,

We need to create a rule in our FW, that allows access for Outlook mail consumption to a user with IP 10.x.x.x.x/32
We do not have APPC or URLF
We only have the instance with the blade FW running (We have a VSX environment)
The detail is that we have created a rule using as destination an 'Updatable Object', as Office 365, but the FW ignores the rule and the user can not access (does not load the main page), the only way is to change the destination by ANY, and then if it works.

Questions.

1. Updatable Object, does it work with a particular blade?
2. If you only have your VS working as FW, in what ways could we control the traffic to a particular destination, would it be using FQDN?
3. What are the domains that Outlook normally consumes so that someone can use webmail?

Thanks for your comments

Re: Permissions to Outlook by VS

Wolfgang — Sun, 01 Jun 2025 20:00:31 GMT

@Matlu what‘s OUTLOOK as destination? You mean https://outlook.com or dou you mean outlook as client for an onpremise exchange or O365 exchange?
If you use an updatable object you need a working DNS on your gateway and your client and they have to be using the same DNS servers (meaning the DNS resolution has to be the same results on the client and on the gateway)

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 00:58:40 GMT

Hey bud,

You only need technically fw blade enabled to use updatable object. I always only use it like that on ordered layer with fw blade enabled and works just fine.

Andy

Re: Permissions to Outlook by VS

Matlu — Mon, 02 Jun 2025 03:45:58 GMT

Hello
Indeed, our need is that the user can access via web, to https://outlook.com, but the problem is that when I make the security rule putting as destination the Updatable Object of 'Office 365', this does not work, because the user can not access the web.
The only way is putting as destination in 'Any'.
For it to consume https://outlook.com, do you need to place other 'Updatable Objects'?
Or the correct way for this permission is another one?
We only have the FW blade available
Thanks for your comments

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 03:59:31 GMT

I can check in the lab tomorrow...what is EXACT name of the updatable object?

Andy

Re: Permissions to Outlook by VS

Matlu — Mon, 02 Jun 2025 04:08:22 GMT

It's Office 365
If it is not feasible to use Updatable Object for this purpose, what would be the most favorable option when you only have the FW blade available?

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 10:06:50 GMT

Let me do some lab tests soon and will update you buddy.

Andy

Re: Permissions to Outlook by VS

_Val_ — Mon, 02 Jun 2025 10:24:14 GMT

I suspect you have to enable HTTPS Inspection to do this, regardless of other configuration requirements.

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 10:31:39 GMT

I just ran below command on the lab fw:

[Expert@CP-GW:0]# dynamic_objects -uo "Office365 Services"

Output is way too long to copy it here, but outlook.com is 100% there. If it does not work, maybe try add domain object as .*outlook.com and uncheck fqdn option and see if that works.

Andy

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 11:28:53 GMT

Hey bro,

See what I attached. I just tested with that object in the policy with no ssl inspection on and worked fine.

Andy

Re: Permissions to Outlook by VS

Matlu — Mon, 02 Jun 2025 13:17:10 GMT

Bro,

I'll try it today and update you

One query, the command you shared to test, I guess it should be run on the VS instance where I'm working this permission, right?

Cheers

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 13:18:41 GMT

Thats right. Btw, command works for ANY updatable object used in policy, just make sure to put EXACT name as it shows in smart console.

Andy

Re: Permissions to Outlook by VS

Wolfgang — Mon, 02 Jun 2025 13:29:03 GMT

With the command shown by Andy you'll see if the updatable object will be fine. Using "Office 365 services" or "Exchange services" is the correct way. That's what updatable objects are for. Maybe something goes wrong...

Follow sk178775 - Security Gateway does not enforce a rule with Updatable Object in the Access Control Policy to check your gateway

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 13:33:03 GMT

Excellent sk @Wolfgang

Thank you!

Andy

Re: Permissions to Outlook by VS

Matlu — Mon, 02 Jun 2025 21:50:16 GMT

Hey, Andy

Your recommendation seems to have taken effect in my environment.
I have a question, does Check Point have a kind of “Debug Flow”, as it exists in other vendor like Fortinet, which helps you to know by CLI, in which rule a particular traffic is doing MATCH?

It happens to be working with your recommendation what I needed, but we have a problem with our LOG SERVERS, and we can't see the real traffic at this moment.

I want to rely on a “Packet Capture” class to help me know if the traffic is MATCHing or not with the rule we have created.

Cheers. 🙂

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 21:55:40 GMT

K, great!

If you are looking for something similar to what I attached on Fortigate (by the way, for what its worth, fortimanager is way better for that), closest I can think of is below.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-up_execute.htm

Re: Permissions to Outlook by VS

Matlu — Mon, 02 Jun 2025 22:01:24 GMT

Interesting tool, but I have a question, in the “destination” field, how would you filter if your original destination is a domain?

Do you have to first do a NSLOOKUP on your PC, and resolve your domain as https://outlook.com, and take any IP that NSLOOKUP gives you, to put it in the command syntax?

Or is there another way?

Re: Permissions to Outlook by VS

the_rock — Mon, 02 Jun 2025 22:04:55 GMT

Excellent question!

Sadly, you can NOT do domains, ONLY ip addresses. So you can do nslookup as you said and then test it that way. I dont sadly know of any other way.

Andy

Re: Permissions to Outlook by VS

Matlu — Thu, 05 Jun 2025 23:40:00 GMT

Hey, Bro
When working with “DOMAINS”, do you know if it is necessary to enable also the HTTPS Inspection in the GW?
The rule you created is not working, and it seems that since you created it it doesn't work.
Unfortunately I had a problem with the logs of our box and I had no way to confirm if the rule was working or not.

Re: Permissions to Outlook by VS

the_rock — Thu, 05 Jun 2025 23:52:30 GMT

You dont need to, only having fw blade enabled on the layer is good enough.

Andy