topic Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20 in General Topics

5 Year celebration hangover - Q regarding dynamic network object in R81.20

Kaspars_Zibarts — Fri, 18 Nov 2022 07:12:35 GMT

@Tomer_Noy - thanks for really outstanding presentation yesterday! Made many notes regarding R81.20!

One thing that I loved most is dynamic network object list / feed. I generally love dynamic objects and we strive to go away from static rulebase managed by FW administrators to more dynamic build - i.e updatable objects, domain objects, old school dynamic objects, API based updates etc etc

And this new network feed object type would perfectly fit our bill! It would allow us to delegate responsibility to service owners and cut many "middle-man" hours. Plus it's less complex than API and does not require policy install! Win-win

How does it fit together with generic datacentre object that was released in R81? It seems to be doing the same thing but is just more cumbersome to manage (format requirements etc)

Will it require any additional licensing? I.e. to deploy IOC feeds (that are somewhat similar with exception that they would only allow blocking traffic) you need AB or AV license.

Thanks again for insights!

Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20

Tomer_Noy — Thu, 02 Jun 2022 06:45:43 GMT

Thanks for the positive feedback Kaspars!
It means a lot coming from a skilled and veteran customer 😀

I'm glad that this new feature is a good fit for your plans to further modernize your policy management. I hope that many customers adopt it.

Regarding your questions:

How do "Network Feeds" fit together or compare with "Generic DataCenter" objects?
- The benefits of Generic DataCenter is that it supports hierarchy of objects, so a single feed can provide multiple objects for the policy. Also, it can be installed on R81.10 gateways.
- The benefits of Network Feeds are that they are much simpler to define and use (no strict formatting), the gateway independently updates content from the feed (so Management maintenance / downtime will not affect it), and it's scalable for a lot of IPs.
- IMO, if you are in doubt, go with the Network Feeds. We hope that this feature will reach the masses as there is not widespread adoption of Generic DataCenter.
Unlike IoCs, Network Feeds are an Access Policy feature, so they do not require an additional license.
- BTW, IoCs are a great feature and support many more blocking constructs (such as URLs, regular expressions, ...). These are actually used by many customers and we continue to encourage that.

I hope the above clarifies things.

Please continue to share feedback (also if you have on other content in the demo), and if you have experience later on with adopting R81.20.

Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20

Kaspars_Zibarts — Thu, 02 Jun 2022 21:09:05 GMT

You know that I have been planning in my head a "centralised tool to manage old school dynamic objects" just like network feeds does.. you stole my idea from my head! 🙂 Oh well, I have time now for other 100 ideas in my head! And can you please port it to R80.40 as i doubt it very much that we will venture to R81.20 anytime soon 🙂 plus the log sending to two servers!

Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20

Tomer_Noy — Fri, 03 Jun 2022 07:09:20 GMT

Unfortunately, we cannot port these features to older versions. They depend on new schema configuration in the DB and functionality in the gateway that cannot be added in JHF.

Note that the log sending to multiple servers (distributed logging) was already added in R81.10, so it's GA.

I can only recommend a swift upgrade strategy to at least R81.10 right now, and soon to R81.20 as those releases bring many improvements on all fronts (quality, performance, features).

Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20

Kaspars_Zibarts — Fri, 03 Jun 2022 08:27:09 GMT

We will try of course! To upgrade..

One last Q Tomer - Network Feeds, will they be available as Global objects in MDS?

Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20

Tomer_Noy — Sun, 19 Jun 2022 14:34:29 GMT

Hi @Kaspars_Zibarts,

It took me a little while to get a verified answer, but you'll be happy to hear that: Yes, Network Feeds can be defined as global objects in MDS environments 😀

Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20

Kaspars_Zibarts — Fri, 01 Jul 2022 11:36:45 GMT

Awesome! 🙂 really good news! Time to plan to upgrade MDS then!

Re: 5 Year celebration hangover - Q regarding dynamic network object in R81.20

Simon_Macpherso — Fri, 18 Nov 2022 07:43:40 GMT

Hi @Tomer_Noy

Thanks for the information.

Discovered this post linked from the What's New in R81.20 TechTalk webinar this week.

I have a few questions re the Network Feeds object.

What file type is the file the Network Feeds object?

If there is no strict formatting;

How can you trust the data input is valid data?
Is there a built-in validation process to ensure the data is valid?
Also is there a constraints mechanism i.e. restrict what values can will be accepted ion the file e.g. a specific IP range?

We just started using generic data center objects block malicious IPs from verified threat intelligence feeds. As you stated, the generic data center object references a JSON file with strict formatting requirements. However, there is still no built-in protection for data validation.

To mitigate input errors i.e. input data that doesn't conform to the strict formatting, we validate the JSON against a schema before copying the file to a web or the management server.

In terms of scalability, the JSON should be able to handle a lot of IPs. Can you explain the advantage of the new object in further detail here?

I would be interested to look at any additional information you're able to provide on the Network Feeds object.

Regards,

Simon