topic Re: R80.40 - Updatable Objects Issue on VS in General Topics

R80.40 - Updatable Objects Issue on VS

LostBoY — Wed, 19 May 2021 14:44:03 GMT

I configured updatable objects in my Access Policy but was greeted with a deny log stating "updatable objects is used in policy but gateway package is missing".. this is a VSX environment and i am getting these logs on a VS.. i have proxy, DNS configured.. i read on another forum that individual NAT and access is to be allowed towards updates.checkpoint.com on the VS..if my VS0 is already able to resolve everything then is individual access required on other VS ? .. moreover how do i allow access towards URL "updates.checkpoint.com' and how the NAT has to be setup for this.. my external bond interface has a public IP.

Re: R80.40 - Updatable Objects Issue on VS

_Val_ — Wed, 19 May 2021 14:55:37 GMT

for updatable objects, you need to access a different FQDN. Refer to sk83520 for full info. I believe it is dl3.checkpoint.com, but please check there, just in case.

I also believe, updatable objects are pulled from the target VS and not VS0.

Re: R80.40 - Updatable Objects Issue on VS

_Val_ — Wed, 19 May 2021 15:00:07 GMT

Here is a similar discussion with more details: https://community.checkpoint.com/t5/Security-Gateways/Updatable-Objects-in-VSX/m-p/99187

TL'DR - VS itself has to have connectivity to the update service. There should be a NAT rule allowing it to get packets back.

Re: R80.40 - Updatable Objects Issue on VS

LostBoY — Wed, 19 May 2021 15:55:10 GMT

In this discussion it is mentioned to create a NAT and an ACL .. how do i provide access rule towards a URL ? and my external interface is configured with a public ip and i can ping external addresses via it.. is NAT required in this case ?

Re: R80.40 - Updatable Objects Issue on VS

_Val_ — Thu, 20 May 2021 06:23:46 GMT

You do not have to have a rule, actually, GW to internet access is covered by implied rules already. What you need is NAT. When a VS is sending traffic, one of the "funny IPs" is used. It should be NAT-ed in the way traffic can return. Please carefully read the discussion I referred above, it is explained there.

Re: R80.40 - Updatable Objects Issue on VS

LostBoY — Fri, 21 May 2021 13:37:05 GMT

Ok..i got the funny ip part..so here is what i have done.

1)Applied a NAT rule from src 192.168.96.0/24 towards any with a hideNAT (Public IP)

2)tried curl_cli updates.checkpoint.com and i am able to resolve it from the VS

3)ran unified_dl UPDATE ONLINE_SERVICES

however..after doing all this i still cannot see last_resvision.xml being created in #CPDIR/database/downloads/ONLINE_SERVICES/1.0 of the VS

just one thing which i suppose may be an issue..i have a proxy configured in SmartConsole/VS0.. VS2 cannot reach that proxy..is vs2 trying to reach internet via Proxy even when a direct NAT is available ? any way to get around this.