topic Re: R80.20 Identity Tags and Updatable Objects in Firewall and Security Management

R80.20 Identity Tags and Updatable Objects

Yair_Herling — Sun, 14 Nov 2021 11:55:02 GMT

This video elaborates on one the most important aspects of the Check Point Infinity architecture which is the dynamic, unified characteristics of a policy.

legacy Static policy means ticketing, many install policy operations and inherent discrepancies within the policy will ruin our operational efficiency.

However, by solving these challenges with a Dynamic approach – the security operations engineers only need to design a single policy rule for each scenario that will seamlessly control all operational aspects of an enterprise, while keeping access changes strict, yet adaptive.

Enjoy

Re: R80.20 Identity Tags and Updatable Objects

Tomer_Sole — Mon, 07 Jan 2019 18:22:05 GMT

Great work Ofir Calif‌ Roi Caspy‌ !

Re: R80.20 Identity Tags and Updatable Objects

John_Fulater — Fri, 11 Jan 2019 04:30:26 GMT

This was a great presentation. Very informative and directive. Thank you.

Re: R80.20 Identity Tags and Updatable Objects

Felipe_Tropeia — Fri, 18 Jan 2019 14:04:01 GMT

I was trying to create a NAT hide using a dynamic object or domains objects. However, I've got an "Invalid Object '.office365.com' in Original Dst of Address Translation Rule 5. The valid objects are: host, gateway, network, address range and router."

Would I like to know If the new updatable objects can be used by NAT policy?

Many thanks,

Felipe Tropeia

Re: R80.20 Identity Tags and Updatable Objects

Yair_Herling — Sun, 17 Mar 2019 08:32:26 GMT

Sorry for my late reply.

Domain objects and updatable objects are currently not supported in NAT rulebase.

This is under development though..

hope this helps...

Yair

Re: R80.20 Identity Tags and Updatable Objects

Andreas_Hofmann — Sat, 27 Jul 2019 08:17:52 GMT

Hello,

how to use Updatable Objects in legacy application HTTPS inspection.
Can Checkpoint ensure all Microsoft Office 365 application work without any problems if https inspected?

Thanks

Andreas

Re: R80.20 Identity Tags and Updatable Objects

PhoneBoy — Sat, 27 Jul 2019 22:15:28 GMT

This is not currently supported.
This may be supported in an upcoming release.

Re: R80.20 Identity Tags and Updatable Objects

Andreas_Hofmann — Sun, 28 Jul 2019 08:21:26 GMT

Hi,

how to proceed with Microsoft cloud applcations like Azure, Skype , Power BI gateway hub and so on?
Recommendation from Microsoft is to http bypass -> result no Checkpoint blade protection anymore.

How to improve this and what is your experience with this kind of applications in your environments.

Thank you

Andreas

Re: R80.20 Identity Tags and Updatable Objects

PhoneBoy — Sun, 28 Jul 2019 13:08:22 GMT

Skype in particular isn't standard HTTPS, which means HTTPS Inspection won't necessarily work anyway.
HTTPS Inspection also cannot be applied to applications that use Certificate Pinning or client-side certificates.
If you need those applications to work, then they would need to be bypassed if HTTPS Inspection were used.

Azure hosts a lot of things in it, so you'd need to be more specific about what you're asking about here.

Re: R80.20 Identity Tags and Updatable Objects

Gera_Dorfman — Sun, 28 Jul 2019 19:45:07 GMT

We plan supporting updatable objects in https inspection in R80.40 which is planned for the end of this year; We are looking for EA customers with EA program to start in about 2 months.

Re: R80.20 Identity Tags and Updatable Objects

Andreas_Hofmann — Sun, 04 Aug 2019 08:46:18 GMT

I am searching for a very deep and clear instruction how to implement Office 365 applications. For example I have a lot of problems with application Teams (sharing desktops) Do we really have to exclude all Office365 IPs and Office365 URLs in https inspection? What are your experiences and how do you operate Office365 in Checkpoint firewall environments?

Re: R80.20 Identity Tags and Updatable Objects

PhoneBoy — Mon, 05 Aug 2019 05:11:42 GMT

Skype and its descendants such as Teams do not work with HTTPS Inspection.
The IPs specific to this service must be excluded from HTTPS Inspection as a result.
At the moment, we do not provide an easy way to do this, but it is planned for R80.40.

Re: R80.20 Identity Tags and Updatable Objects

Paul_Hagyard — Tue, 01 Oct 2019 21:51:31 GMT

Dynamic objects seem largely unusable currently. TAC are always recommend HTTPS inspection to support Application Control and URL Filtering, but O365 needs to be bypassed and you can't use the updatable objects in the HTTPS inspection policy and so need to maintain manual address groups again.

Updatable objects are also not supported in the desktop policy (for endpoints managed out of a SmartCenter), making it hard to allow direct access to O365 when connected via a VPN. Guessing they are not supported for the full Endpoint client policy either?

Re: R80.20 Identity Tags and Updatable Objects

PhoneBoy — Tue, 01 Oct 2019 22:29:18 GMT

Updatable Objects should be usable in the HTTPS Inspection policy in R80.40.
I don't know what the plan is to support this in the desktop Endpoint policy.