Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

R80.40 - Updatable Objects Issue on VS

I configured updatable objects in my Access Policy but was greeted with a deny log stating "updatable objects is used in policy but gateway package is missing"..  this is a VSX environment and i am getting these logs on a VS.. i have proxy, DNS configured.. i read on another forum that individual NAT and access is to be allowed towards updates.checkpoint.com on the VS..if my VS0 is already able to resolve everything then is individual access required on other VS ? .. moreover how do i allow access towards URL "updates.checkpoint.com' and how the NAT has to be setup for this.. my external bond interface has a public IP.

0 Kudos
5 Replies
_Val_
Admin
Admin

for updatable objects, you need to access a different FQDN. Refer to sk83520 for full info. I believe it is dl3.checkpoint.com, but please check there, just in case. 

I also believe, updatable objects are pulled from the target VS and not VS0.

0 Kudos
_Val_
Admin
Admin

Here is a similar discussion with more details: https://community.checkpoint.com/t5/Security-Gateways/Updatable-Objects-in-VSX/m-p/99187

TL'DR - VS itself has to have connectivity to the update service. There should be a NAT rule allowing it to get packets back.

0 Kudos
LostBoY
Advisor

In this discussion it is mentioned to create a NAT and an ACL .. how do i provide access rule towards a URL ? and my external interface is configured with a public ip and i can ping external addresses via it.. is NAT required in this case ? 

0 Kudos
_Val_
Admin
Admin

You do not have to have a rule, actually, GW to internet access is covered by implied rules already. What you need is NAT.  When a VS is sending traffic, one of the "funny IPs" is used. It should be NAT-ed in the way traffic can return. Please carefully read the discussion I referred above, it is explained there.

 

0 Kudos
LostBoY
Advisor

Ok..i got the funny ip part..so here is what i have done.

1)Applied a NAT rule from src 192.168.96.0/24 towards any with a hideNAT (Public IP)

2)tried curl_cli updates.checkpoint.com and i am able to resolve it from the VS

3)ran unified_dl UPDATE ONLINE_SERVICES

however..after doing all this i still cannot see last_resvision.xml being created in #CPDIR/database/downloads/ONLINE_SERVICES/1.0 of the VS

 

just one thing which i suppose may be an issue..i have a proxy configured in SmartConsole/VS0.. VS2 cannot reach that proxy..is vs2 trying to reach internet via Proxy even when a direct NAT is available ? any way to get around this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events