Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jordan_Garden
Employee Alumnus
Employee Alumnus

Custom Updatable Objects in R80.40 or R81

Hello CheckMates team, 

In reviewing a precious thread (Can we create custom updatable objects in R80.20) wanted to follow up and ask if this functionality has indeed made its way in R81 and if it is planned to be made available within R80.40 at any point? Have a customer looking to use this functionality instead of the traditional Dynamic URL/IP List via custom application method due to policy install and Blade requirements, and have not been able to find definitive answer on availability.  Appreciate any insight you may be able to share and if there is any documentation available. 

0 Kudos
29 Replies
genisis__
Leader Leader
Leader

Do you know if the updatable objects is going to be expanded? something obvious like having Checkpoint Cloud updatable object, Cisco Meraki Cloud are additional objects which I think would be good.

0 Kudos
PhoneBoy
Admin
Admin

It’s called a Generic Data Center object and it was added in R81.
However, it only covers IPs (not URLs).
As for supporting other “Data Center” types @genisis__ If you have a specific need I would approach your local office with the requirements.

0 Kudos
Jordan_Garden
Employee Alumnus
Employee Alumnus

Thanks @PhoneBoy . Do you happen to know if there are any listed blade requirements? Do not see anything listed in SK167210 

0 Kudos
PhoneBoy
Admin
Admin

No specific requirements that I'm aware of.

0 Kudos
genisis__
Leader Leader
Leader

Thanks.

0 Kudos
_khard
Employee
Employee

Can we add URLs as well in the Generic Data Center objects ? 

Like I get a list of 200 URLs from the infosec team which I need to block. I'll have to first get the IP addresses of all the URLs and then create the list and update. 

Is there other way to do this ? 

0 Kudos
the_rock
Legend
Legend

I dont think you can. For URLs, you can have excel csv file with the list, then import it into custom urlf object.

Andy

0 Kudos
_khard
Employee
Employee

Got to know that we can use Network feeds which are supported in R81.20. 

The feed can contain IP addresses (single or ranges), domains, or both.

For example:

  • Single IP (1.1.1.1)

  • Range (1.1.1.1-2.2.2.2)

  • IP + masklen (1.1.1.1/24)

  • FQDN domain (google.com)

  • Non-FQDN domain (*.google.com)

0 Kudos
the_rock
Legend
Legend

Right, but you cant add fqdn manually into it.

Andy

0 Kudos
_khard
Employee
Employee

Hi @the_rock 

quite didn't get you :  "can't add fqdn manually into it" - Do you mean custom fqdn(madeup) ? 

In the SK it shows we can add domains into the file. 

0 Kudos
the_rock
Legend
Legend

I meant you cant add custom right in the object itself. You can to a file, as long as format is right.

Andy

0 Kudos
the_rock
Legend
Legend

Also, worth mentioning on top of what @PhoneBoy said, for network feeds, you can NOT use path on mgmt server, like you can for generic data center object, but as he said, data center objects dont support urls, ONLY IP addresses.

Andy

 

the_rock
Legend
Legend

By the way @_khard, below is what I was referring to.

Andy

Screenshot_1.png

 

 

Screenshot_2.png

PhoneBoy
Admin
Admin

Upgrade to R81.20 and use Network Feed objects, which support this.
Generic DataCenter objects only support IPs.

0 Kudos
the_rock
Legend
Legend

Just on a side note, Im actually surprised that default geo policy was taken away in R81?? @PhoneBoy ...any idea why, just curious? : )

 

Andy

0 Kudos
PhoneBoy
Admin
Admin

The proper way to do Geo Policy from R80.20 is actually to use Updatable Objects in the Access Policy.
This is far more flexible than the traditional Geo Policy.
We hide the Geo Policy by default in R81+ if you haven't configured any rules and can 'unhide' it if you prefer.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

the_rock
Legend
Legend

Man, you are the best! You are always there for an answer, no matter what the question is : ). Reminds me of good old Pierre Lamy (Im positive you know who Im talking about ; )

Andy

0 Kudos
PhoneBoy
Admin
Admin

I'm very familiar with him 🙂

JackG
Explorer

Another useful updatable object in my mind would be an updatable object for Zscaler service.
Zscaler has a lot of ZEN nodes all over the world to provide their SaaS service. 
Are there already considerations to integrate Zscaler updatable object within R80.30 ?

David_C1
Advisor

As long as we are requesting new updatable objects...how about an updatable object for Check Point services (e.g. updates.checkpoint.com, cws.checkpoint.com). We rely heavily on geo-blocking, and would prefer to only allow our gateways and management to talk only to Check Point URLs, instead all of Israel (we currently block Asia, and have exception for Israel for our gateways/management).

Dave

the_rock
Legend
Legend

I agree 100%. It would also be awesome if countries could be put in a network group, because some geo rules look like "hot mess" if you have 20 countries in there.

Andy

0 Kudos
genisis__
Leader Leader
Leader

I totally agree, and mentioned the exact same thing.  It seems a little short sighted of Checkpoint not to include its own cloud services as an updateable object, come on Checkpoint make it happen.  I can't believe it will take  much effort to do it.

 

the_rock
Legend
Legend

Yea well, tell that to someone in R&D ; )

0 Kudos
genisis__
Leader Leader
Leader

I guess we are, R&D are on this forum and should be listening to what I hope is taken as a constructive improvement suggestion.  

0 Kudos
the_rock
Legend
Legend

Lets see...based on previous experience, I am 99.999% sure it wont happen any time soon...but, lets hope Im wrong : )

0 Kudos
David_C1
Advisor

I did speak to a couple of Check Point persons at last year's CPX about this very request (can't remember exactly who off the top of my head, but they were in the group that would handle this particular feature), and when I asked for an updatable object for Check Point services, they both got a look on their face like "why didn't we think of that?"

Dave

0 Kudos
George_Casper
Contributor

I wish the Updatable Objects (O365 Team/Zoom etc) were available for selection in the Network Group with Exclusions object that we use to granularly allow split tunneling for Teams & Zooms calling while on the VPN.   Silly that the objects are there but you just can't use them.     The Teams list isn't too bad to manually maintain but Zoom's is huge.  

 

PhoneBoy
Admin
Admin

Right now the actual encryption domain can't really change "on the fly" as those objects can and do.
We do have a script that can assist with this (at least for Office 365) which I imagine could also be adapted for Zoom usage as well.

0 Kudos
steffenkoelsch
Explorer

Would this script be publically available? 🙂

(kind-of hijacking Jordan's thread, but the assumed IP list scraping might by a common base for both purposes)

 

Steffen

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events