Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jordan_Garden
Employee
Employee

Custom Updatable Objects in R80.40 or R81

Hello CheckMates team, 

In reviewing a precious thread (Can we create custom updatable objects in R80.20) wanted to follow up and ask if this functionality has indeed made its way in R81 and if it is planned to be made available within R80.40 at any point? Have a customer looking to use this functionality instead of the traditional Dynamic URL/IP List via custom application method due to policy install and Blade requirements, and have not been able to find definitive answer on availability.  Appreciate any insight you may be able to share and if there is any documentation available. 

0 Kudos
20 Replies
genisis__
Advisor

Do you know if the updatable objects is going to be expanded? something obvious like having Checkpoint Cloud updatable object, Cisco Meraki Cloud are additional objects which I think would be good.

0 Kudos
PhoneBoy
Admin
Admin

It’s called a Generic Data Center object and it was added in R81.
However, it only covers IPs (not URLs).
As for supporting other “Data Center” types @genisis__ If you have a specific need I would approach your local office with the requirements.

0 Kudos
Jordan_Garden
Employee
Employee

Thanks @PhoneBoy . Do you happen to know if there are any listed blade requirements? Do not see anything listed in SK167210 

0 Kudos
PhoneBoy
Admin
Admin

No specific requirements that I'm aware of.

0 Kudos
genisis__
Advisor

Thanks.

0 Kudos
the_rock
Mentor
Mentor

Just on a side note, Im actually surprised that default geo policy was taken away in R81?? @PhoneBoy ...any idea why, just curious? : )

 

Andy

0 Kudos
PhoneBoy
Admin
Admin

The proper way to do Geo Policy from R80.20 is actually to use Updatable Objects in the Access Policy.
This is far more flexible than the traditional Geo Policy.
We hide the Geo Policy by default in R81+ if you haven't configured any rules and can 'unhide' it if you prefer.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

the_rock
Mentor
Mentor

Man, you are the best! You are always there for an answer, no matter what the question is : ). Reminds me of good old Pierre Lamy (Im positive you know who Im talking about ; )

Andy

0 Kudos
PhoneBoy
Admin
Admin

I'm very familiar with him 🙂

JackG
Explorer

Another useful updatable object in my mind would be an updatable object for Zscaler service.
Zscaler has a lot of ZEN nodes all over the world to provide their SaaS service. 
Are there already considerations to integrate Zscaler updatable object within R80.30 ?

David_Charnon
Collaborator

As long as we are requesting new updatable objects...how about an updatable object for Check Point services (e.g. updates.checkpoint.com, cws.checkpoint.com). We rely heavily on geo-blocking, and would prefer to only allow our gateways and management to talk only to Check Point URLs, instead all of Israel (we currently block Asia, and have exception for Israel for our gateways/management).

Dave

the_rock
Mentor
Mentor

I agree 100%. It would also be awesome if countries could be put in a network group, because some geo rules look like "hot mess" if you have 20 countries in there.

Andy

0 Kudos
genisis__
Advisor

I totally agree, and mentioned the exact same thing.  It seems a little short sighted of Checkpoint not to include its own cloud services as an updateable object, come on Checkpoint make it happen.  I can't believe it will take  much effort to do it.

 

the_rock
Mentor
Mentor

Yea well, tell that to someone in R&D ; )

0 Kudos
genisis__
Advisor

I guess we are, R&D are on this forum and should be listening to what I hope is taken as a constructive improvement suggestion.  

0 Kudos
the_rock
Mentor
Mentor

Lets see...based on previous experience, I am 99.999% sure it wont happen any time soon...but, lets hope Im wrong : )

0 Kudos
David_Charnon
Collaborator

I did speak to a couple of Check Point persons at last year's CPX about this very request (can't remember exactly who off the top of my head, but they were in the group that would handle this particular feature), and when I asked for an updatable object for Check Point services, they both got a look on their face like "why didn't we think of that?"

Dave

0 Kudos
George_Casper
Contributor

I wish the Updatable Objects (O365 Team/Zoom etc) were available for selection in the Network Group with Exclusions object that we use to granularly allow split tunneling for Teams & Zooms calling while on the VPN.   Silly that the objects are there but you just can't use them.     The Teams list isn't too bad to manually maintain but Zoom's is huge.  

 

PhoneBoy
Admin
Admin

Right now the actual encryption domain can't really change "on the fly" as those objects can and do.
We do have a script that can assist with this (at least for Office 365) which I imagine could also be adapted for Zoom usage as well.

0 Kudos
steffenkoelsch
Explorer

Would this script be publically available? 🙂

(kind-of hijacking Jordan's thread, but the assumed IP list scraping might by a common base for both purposes)

 

Steffen