This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2021-05-19 07:44 AM

R80.40 - Updatable Objects Issue on VS

I configured updatable objects in my Access Policy but was greeted with a deny log stating "updatable objects is used in policy but gateway package is missing"..  this is a VSX environment and i am getting these logs on a VS.. i have proxy, DNS configured.. i read on another forum that individual NAT and access is to be allowed towards updates.checkpoint.com on the VS..if my VS0 is already able to resolve everything then is individual access required on other VS ? .. moreover how do i allow access towards URL "updates.checkpoint.com' and how the NAT has to be setup for this.. my external bond interface has a public IP.

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2021-05-19 07:55 AM

for updatable objects, you need to access a different FQDN. Refer to sk83520 for full info. I believe it is dl3.checkpoint.com, but please check there, just in case. 

I also believe, updatable objects are pulled from the target VS and not VS0.

0 Kudos
_Val_
Admin
Admin
‎2021-05-19 08:00 AM

Here is a similar discussion with more details: https://community.checkpoint.com/t5/Security-Gateways/Updatable-Objects-in-VSX/m-p/99187

TL'DR - VS itself has to have connectivity to the update service. There should be a NAT rule allowing it to get packets back.

0 Kudos
LostBoY
Advisor
‎2021-05-19 08:55 AM
In response to _Val_

In this discussion it is mentioned to create a NAT and an ACL .. how do i provide access rule towards a URL ? and my external interface is configured with a public ip and i can ping external addresses via it.. is NAT required in this case ? 

0 Kudos
_Val_
Admin
Admin
‎2021-05-19 11:23 PM
In response to LostBoY

You do not have to have a rule, actually, GW to internet access is covered by implied rules already. What you need is NAT.  When a VS is sending traffic, one of the "funny IPs" is used. It should be NAT-ed in the way traffic can return. Please carefully read the discussion I referred above, it is explained there.

 

0 Kudos
LostBoY
Advisor
‎2021-05-21 06:37 AM
In response to _Val_

Ok..i got the funny ip part..so here is what i have done.

1)Applied a NAT rule from src 192.168.96.0/24 towards any with a hideNAT (Public IP)

2)tried curl_cli updates.checkpoint.com and i am able to resolve it from the VS

3)ran unified_dl UPDATE ONLINE_SERVICES

however..after doing all this i still cannot see last_resvision.xml being created in #CPDIR/database/downloads/ONLINE_SERVICES/1.0 of the VS

 

just one thing which i suppose may be an issue..i have a proxy configured in SmartConsole/VS0.. VS2 cannot reach that proxy..is vs2 trying to reach internet via Proxy even when a direct NAT is available ? any way to get around this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events