Create a Post
Chandhrasekar_S
Collaborator

Creating Azure Public IP Ranges as destination object

Team,

We would like to create Azure Public IP ranges as destination object in Checkpoint R80.10 vSEC firewalls

Microsoft publishes its IP ranges as XML (https://www.microsoft.com/en-us/download/details.aspx?id=41653). Does anyone have an idea on how to import the .xml file into checkpoint firewalls using REST API or some other means

Thanks,

Chandru

7 Replies
PhoneBoy
Admin
Admin

This is something we are planning to add support for in R80.20

Meanwhile, you can use the following script to do it: https://community.checkpoint.com/docs/DOC-2023-check-point-code-sample-template 

0 Kudos
Chandhrasekar_S
Collaborator

Thanks Dameon for providing the script

It was nice meeting you in CPX360. From Technology Innovation labs, I thought Checkpoint is going to release Office 365 addresses as dynamic objects in R80.20. Wish they include Azure ranges as well in R80.20

0 Kudos
PhoneBoy
Admin
Admin

I believe from past conversations with R&D that support for Azure ranges is also planned. 

lepole
Explorer

Any news on this? MS is now encouraging everyone not to use the XML but their API https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

I would love to get those IP ranges and URL lists into my R80.20 management and (most of all) keep them updated.

0 Kudos
Alan_Camelo1
Contributor

Hi All,

I also have to allow the following wildcard Azure domians through the Firewall, but the wildard would need to resolve to an IP address. Is there a way this can be achieved in R80.20?

*.aadcdn.microsoftonline-p.com

*.aka.ms

*.applicationinsights.io

*.azure.com

*.azure.net

*.azureafd.net

*.azure-api.net

*.azuredatalakestore.net

*.azureedge.net

*.loganalytics.io

*.microsoft.com

*.microsoftonline.com

*.microsoftonline-p.com

*.msauth.net

*.msftauth.net

*.trafficmanager.net

*.visualstudio.com

*.windows.net

*.windows-int.net

Many Thanks in advance

 

 

0 Kudos
Tim_Koopman
Contributor

I have example scripts, which I use in production, doing this with psCheckPoint for Azure, AWS & O365 IPs.

psCheckPoint/Examples/GroupSync at master · tkoopman/psCheckPoint · GitHub 

johnnyringo
Collaborator

I have this same problem and am looking at this as a possible solution:

Updatable Objects in R80.20 and above

This currently supports whitelisting of AWS, Azure, Office365, Zoom, Slack, WebEx, Dropbox, Okta, and Intune (whatever the heck that is).  My concern however is it mentions the DNS servers of the Checkpoint gateway should be the same as the endpoints, which implies it's doing real-time DNS lookups rather than downloading/refreshing set databases.  

0 Kudos