This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maik
Advisor
‎2019-03-18 07:28 AM
Jump to solution

Service type "Service with Resource" via management API

Hello guys,

I just stumbled upon a service that I have not seen so far in any environment. It's the "service with resource" type which allows you to control your traffic up and including layer seven for some protocols.

 

Understanding Services with Resources
Resources are used to match a specific kind of application layer content, in other words, to specify what content you are looking for, and to perform some action on the content.
Resources are used with security servers. By default, the enabled security servers are HTTP, FTP, SMTP, Rlogin and Telnet. Only the services that can be used with these security servers are displayed here.
In addition, there is a generic TCP security server that can be used with any TCP service. Every TCP Service has a property called Enable for TCP Resource in the Advanced TCP Service Properties window that allows the service to be used with the generic TCP security server. 
If that property is enabled, that service(s) appears in the list. Services do not have this property enabled by default.

As I am working on a SMS into MDM migration and therefore won't be able to just migrate export/import the configuration on the MDM I wondered if it would be possible to query "service with resource" objects via the management api? Currently I am using the export/import policy package Python script which is unable to do anything with these types of objects. Any help and/or advices are appreciated.

Thanks and best regards,

Maik

 

Edit: Please feel free to share, if you have any more information than the quoted text from above when it comes to these services in general (required licensing => is it part of the firewalling blade in R80?).

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-03-19 02:33 PM
In response to Maik
Jump to solution

Right-click on the Services field in the rule and the "Add Service with Resource" option comes up. Note this only works if the policy layer is set to Firewall only, which is the only configuration where these objects are allowed. It will be dimmed if other blades are active in the same layer.

Screen Shot 2019-03-19 at 2.19.20 PM.png

Other than cost, what is the precise reason your customer cannot use the other blades? They are using a solution that doesn't support HTTPS at all and will definitely limit their ability to utilize advanced features of the product since none of them were designed with this configuration in mind.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2019-03-18 11:48 AM
Jump to solution

Services with Resources have been largely deprecated for some time.
Much of the functionality they provide can generally be achieved through other means.
It's not shocking that the API support for these types of services may be limited.
There are some limitations using them in R80 with Policy Layers (Namely you can only use them in the first layer, only Firewall can be enabled in the blade).
0 Kudos
Maik
Advisor
‎2019-03-18 11:59 PM
In response to PhoneBoy
Jump to solution

Thanks for your reply, makes sense that I did not see it at all when the type of service is deprecated for some time now.

To achieve close to the same in R80 I would need to license & enable application control as well as url filtering I guess? Or is there a different way to achieve this without additional cost/software blades? Currently the customer only has the firewalling blade enabled thats why I am asking. 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-19 07:49 AM
In response to Maik
Jump to solution

To replace URL Filtering done through "Service with Resource" objects, yes, you need licenses for App Control and URL Filtering blades.
0 Kudos
Maik
Advisor
‎2019-03-19 10:27 AM
In response to PhoneBoy
Jump to solution

I see, thanks for the explanation.

The problem is that I won't be able to use that blade in the given environment, in fact I can see the objects in an upgraded R77 to R80 environment but I am unable to move these kinds of objects via the API to the MDM. Now my issue is that I absolutely do not see a way to recreate these service (types) within an R80 deployment.

Could it be that they can be used in R80 if they exist prior to the upgrade but there is no way to create such objects from scratch?

Well maybe this question sounds quite dumb, but as I started with CheckPoint at the R80 level I do not have a clue how to proceed regarding service with resource objects. I can create resources and services but I do not see a way to link both, if that makes sense. The related object symbol is a light bulb but I'm unable to see the light nor do I have a flying light bulb above my head in this case 😛

 

Regards,

Maik

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-19 02:33 PM
In response to Maik
Jump to solution

Right-click on the Services field in the rule and the "Add Service with Resource" option comes up. Note this only works if the policy layer is set to Firewall only, which is the only configuration where these objects are allowed. It will be dimmed if other blades are active in the same layer.

Screen Shot 2019-03-19 at 2.19.20 PM.png

Other than cost, what is the precise reason your customer cannot use the other blades? They are using a solution that doesn't support HTTPS at all and will definitely limit their ability to utilize advanced features of the product since none of them were designed with this configuration in mind.

Maik
Advisor
‎2019-03-20 12:39 AM
In response to PhoneBoy
Jump to solution

Thank you! Just saw it by myself, I did not realize that the rule needs to be set to service "any" before you can add a service with resource object. 🙂

Regarding your second point I will try to convince the customer to buy the additional license as it absolutely makes sense regarding further features as well as HTTPS inspection.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events