Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Creating Azure Public IP Ranges as destination object

Team,

We would like to create Azure Public IP ranges as destination object in Checkpoint R80.10 vSEC firewalls

Microsoft publishes its IP ranges as XML (https://www.microsoft.com/en-us/download/details.aspx?id=41653). Does anyone have an idea on how to import the .xml file into checkpoint firewalls using REST API or some other means

Thanks,

Chandru

7 Replies
Highlighted
Admin
Admin

This is something we are planning to add support for in R80.20

Meanwhile, you can use the following script to do it: https://community.checkpoint.com/docs/DOC-2023-check-point-code-sample-template 

0 Kudos
Highlighted

Thanks Dameon for providing the script

It was nice meeting you in CPX360. From Technology Innovation labs, I thought Checkpoint is going to release Office 365 addresses as dynamic objects in R80.20. Wish they include Azure ranges as well in R80.20

0 Kudos
Highlighted
Admin
Admin

I believe from past conversations with R&D that support for Azure ranges is also planned. 

Highlighted
Ivory

Any news on this? MS is now encouraging everyone not to use the XML but their API https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

I would love to get those IP ranges and URL lists into my R80.20 management and (most of all) keep them updated.

0 Kudos
Highlighted

Hi All,

I also have to allow the following wildcard Azure domians through the Firewall, but the wildard would need to resolve to an IP address. Is there a way this can be achieved in R80.20?

*.aadcdn.microsoftonline-p.com

*.aka.ms

*.applicationinsights.io

*.azure.com

*.azure.net

*.azureafd.net

*.azure-api.net

*.azuredatalakestore.net

*.azureedge.net

*.loganalytics.io

*.microsoft.com

*.microsoftonline.com

*.microsoftonline-p.com

*.msauth.net

*.msftauth.net

*.trafficmanager.net

*.visualstudio.com

*.windows.net

*.windows-int.net

Many Thanks in advance

 

 

0 Kudos
Highlighted
Nickel

I have example scripts, which I use in production, doing this with psCheckPoint for Azure, AWS & O365 IPs.

psCheckPoint/Examples/GroupSync at master · tkoopman/psCheckPoint · GitHub 

Highlighted
Nickel

I have this same problem and am looking at this as a possible solution:

Updatable Objects in R80.20 and above

This currently supports whitelisting of AWS, Azure, Office365, Zoom, Slack, WebEx, Dropbox, Okta, and Intune (whatever the heck that is).  My concern however is it mentions the DNS servers of the Checkpoint gateway should be the same as the endpoints, which implies it's doing real-time DNS lookups rather than downloading/refreshing set databases.  

0 Kudos