topic Re: Split tunnel - URL resolution &quot;IPaddressFeed2CheckPoint&quot; script for windows updates in SASE and Remote Access https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-URL-resolution-quot-IPaddressFeed2CheckPoint-quot/m-p/120794#M8460 <P>First of all, I think the requirement to "route all traffic" is...untenable for a variety of reasons.<BR />A better approach would be to have the appropriate controls on the Endpoint (Harmony Endpoint/Browse) so routing the traffic back to a headend isn't necessary.</P> <P>Having said that, I imagine this code could (with modifications, likely) also work for the purpose of creating an encryption domain.<BR />The main thing is that the output must be IP addresses, since you have to create regular network/host objects.</P> Wed, 09 Jun 2021 23:16:51 GMT PhoneBoy 2021-06-09T23:16:51Z Split tunnel - URL resolution "IPaddressFeed2CheckPoint" script for windows updates https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-URL-resolution-quot-IPaddressFeed2CheckPoint-quot/m-p/120732#M8459 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>Requirement ::&nbsp;</P><P>Split tunneling for windows updates.&nbsp;</P><P>&nbsp;</P><P>Background ::&nbsp;</P><P>Customer using exclusion group for Split Tunneling with address ranges as per&nbsp;sk167000 for o365, windows updates are new requirement. There does not appear to be a Microsoft official <STRONG><EM>feed</EM></STRONG> for domains/address ranges as with o365 &amp; updatable/FQDN objects are unsupported for encryption domain related configuration as per <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>'s&nbsp;comment in thread <A href="https://community.checkpoint.com/t5/Remote-Access-VPN/Split-tunnel-to-Microsoft-Office-365-YouTube-or-other-services/td-p/80040" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Remote-Access-VPN/Split-tunnel-to-Microsoft-Office-365-YouTube-or-other-services/td-p/80040</A>.&nbsp;</P><P>In sk167000 point #11 outlines "<SPAN>Automate Office 365 address updates by importing IP Address objects directly from Microsoft’s public feed using the&nbsp;</SPAN><A href="https://github.com/CheckPointSW-Community/IPaddressFeed2CheckPoint" target="_blank" rel="noopener">IPaddressFeed2CheckPoint</A><SPAN>&nbsp;script from our Community Github page."</SPAN></P><P><SPAN>From script using feed ::&nbsp;</SPAN></P><TABLE><TBODY><TR><TD><SPAN class="pl-c">#Download of Feed</SPAN></TD></TR><TR><TD>&nbsp;</TD><TD>curl_cli --insecure <SPAN class="pl-s"><SPAN class="pl-pds">'</SPAN><A href="https://endpoints.office.com/endpoints/worldwide?noipv6&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7" target="_blank" rel="noopener">https://endpoints.office.com/endpoints/worldwide?noipv6&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7</A><SPAN class="pl-pds">'</SPAN></SPAN> <SPAN class="pl-k">|</SPAN> jq <SPAN class="pl-s"><SPAN class="pl-pds">'</SPAN>.[] | select(.category=="Optimize")<SPAN class="pl-pds">'</SPAN></SPAN> <SPAN class="pl-k">|</SPAN> grep -o <SPAN class="pl-s"><SPAN class="pl-pds">'</SPAN>[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}<SPAN class="pl-pds">'</SPAN></SPAN> <SPAN class="pl-k">&gt;</SPAN> <SPAN class="pl-smi">$v_helper_o365_ipv4cidr</SPAN></TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>Query ::</SPAN></P><P><SPAN>Could this be used to resolve domains related to Windows Updates to IPs &amp; populate an exclusion group to enable split tunneling in this case as there doesn't&nbsp;appear to be a feed to pull domains/address ranges from? </SPAN></P><P><SPAN>Is there another known solution for this requirement as possibly a common ask?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Please let me know what you think here.</SPAN></P><P><SPAN>Thanks</SPAN></P> Wed, 09 Jun 2021 10:42:58 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-URL-resolution-quot-IPaddressFeed2CheckPoint-quot/m-p/120732#M8459 ConorOB 2021-06-09T10:42:58Z Re: Split tunnel - URL resolution "IPaddressFeed2CheckPoint" script for windows updates https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-URL-resolution-quot-IPaddressFeed2CheckPoint-quot/m-p/120794#M8460 <P>First of all, I think the requirement to "route all traffic" is...untenable for a variety of reasons.<BR />A better approach would be to have the appropriate controls on the Endpoint (Harmony Endpoint/Browse) so routing the traffic back to a headend isn't necessary.</P> <P>Having said that, I imagine this code could (with modifications, likely) also work for the purpose of creating an encryption domain.<BR />The main thing is that the output must be IP addresses, since you have to create regular network/host objects.</P> Wed, 09 Jun 2021 23:16:51 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-URL-resolution-quot-IPaddressFeed2CheckPoint-quot/m-p/120794#M8460 PhoneBoy 2021-06-09T23:16:51Z