Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_C1
Advisor
Jump to solution

Supportcenter now Geo-blocked

In case anyone else runs into this:

We allow "Check Point Services" as a destination for our support admins. This morning, when attempting to access supportcenter.checkpoint.com, I could not. Checking the logs, I found that the destination 194.29.39.55 was being dropped by our geo-blocking policy. We block Israel, among many other countries, in our geo-blocking policy after the rule which allows "Check Point Services". The IP does not resolve to a domain name, but is owned by Check Point.

Not sure how we are going to handle this. Best case scenario is that Check Point updates the updatable object "Check Point Services" to include this IP. I don't really want to open "Israel" for all clients.

Dave

1 Solution

Accepted Solutions
Micky_Michaeli
Employee
Employee

Hi @Chris_Atkinson , @David_C1 

The domain supportcenter.checkpoint.com is included in "Check Point Services" object.

We use domains in this UO instead of set of IPs as the domains are resolved to different IPs from time to time according to DNS servers.
For example, currently supportcenter.checkpoint.com is resolved to a different IP:
Name: supportcenter.g04.checkpoint.com
Address: 194.29.39.18
Aliases: supportcenter.checkpoint.com

We have DNS Passive Learning (sk161612) to improve the matching of Domain objects (the content we have in Check Point Services object) - please review it as it can solve the issue when a domain is resolved suddenly to a 'new' IP before the GW resolved it and saved it on its cache.

Thanks,
Micky

View solution in original post

20 Replies
Chris_Atkinson
Employee Employee
Employee

You could open the parent subnet that contains it as an option rather than the whole country in the interim.

@Micky_Michaeli is this something that is intended to be covered by the existing updatable object?

CCSM R77/R80/ELITE
David_C1
Advisor

Yes, I could and very well may do this as a fix, however, I'd like to think Check Point could keep the updatable object for their own services up to date.

Dave

Micky_Michaeli
Employee
Employee

Hi @Chris_Atkinson , @David_C1 

The domain supportcenter.checkpoint.com is included in "Check Point Services" object.

We use domains in this UO instead of set of IPs as the domains are resolved to different IPs from time to time according to DNS servers.
For example, currently supportcenter.checkpoint.com is resolved to a different IP:
Name: supportcenter.g04.checkpoint.com
Address: 194.29.39.18
Aliases: supportcenter.checkpoint.com

We have DNS Passive Learning (sk161612) to improve the matching of Domain objects (the content we have in Check Point Services object) - please review it as it can solve the issue when a domain is resolved suddenly to a 'new' IP before the GW resolved it and saved it on its cache.

Thanks,
Micky

the_rock
Legend
Legend

Excellent explanation, thank you @Micky_Michaeli 

the_rock
Legend
Legend

Hm...never really ran into that sort of issue, but I always tell every customer to never block country of Israel for obvious reasons. Now, if you have to do that, logically, as long as the rule allowing CP services is ABOVE geo rule blocking Israel, dont see why that would be a problem. I assume that that rule has worked fine up until now?

0 Kudos
David_C1
Advisor

Access to the support site and all other Check Point sites has worked fine up until today, with one exception, catalog.checkpoint.com always has been geo-blocked, as it must not be included in the "Check Point Services" updatable object.

the_rock
Legend
Legend
0 Kudos
David_C1
Advisor

Based on this, I am understanding that the updatable object "Check Point Services" includes only the hostnames/domains listed in sk83520? supportcenter.checkpoint.com is not listed here either, yet this was allowed by "Check Point Services" until this morning.

According to the revision history, sk83520 has not been updated since May 29, 2017.

Dave

0 Kudos
the_rock
Legend
Legend

That, Im not sure whatsoever, so I will let someone who works for Check Point confirm. Reading the sk, its not 100% clear to me and I dont want to assume anything.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

You can see the raw list here as is:

https://secureupdates.checkpoint.com/cp_services/V1_0_0/gw/cp_services_uo

CCSM R77/R80/ELITE
David_C1
Advisor

Thank you, I will bookmark that. Any chance we could get "catalog.checkpoint.com" added to the list?

Also, I was just able to connect to supportcenter.checkpoint.com...I think my mistake was trying to connect to support.checkpoint.com. I cannot connect to support.checkpoint.com with our geo-blocking policy in place, I can connect to it from a source not subject to our geo-blocking policies. support.checkpoint.com resolves to 194.29.39.55, which is what I saw getting geo-blocked in my logs.

Dave

0 Kudos
the_rock
Legend
Legend

Based on maxmind.com, which CP uses by the way for their Geo database, it shows that IP belongs to country of Israel, which in your case is blocked, but since support.checkpoint.com is not included in the list Chris sent, it makes sense why its not working, but it is puzzling how come it did work for you up until today though.

Andy

0 Kudos
David_C1
Advisor

I think this was my mistake (see above). supportcenter.checkpoint.com was and is working, support.checkpoint.com is not, which makes sense based on the list Chris sent.

Ideally, both support.checkpoint.com and catalog.checkpoint.com would be added to the list of URLs contained in the "Check Point Services" updatable object.

Dave

(1)
the_rock
Legend
Legend

Ok, got it, see what you mean.

Cheers,

Andy

0 Kudos
Micky_Michaeli
Employee
Employee

Hi @David_C1,

I will ask the relevant R&D team to add these 2 missing domains to the UO object.

Thanks,
Micky

David_C1
Advisor

Excellent, thank you.

Dave

Wolfgang
Authority
Authority

Something strange…. support.checkpoint.com sometime working sometimes not. Not behind any Check Point device.

https://support.checkpoint.com looks like this:

BF346B5A-A376-48A2-9A26-C8EA43B12AF7.jpeg 

 

 

 

 

 

and a little bit different https://supportcenter.checkpoint.com :

1D3ED13F-83DD-45BC-9895-97E66522CF24.jpeg

I thought I used support.checkpoint.com over the last 20 years.

the_rock
Legend
Legend

Im so glad you pointed this out, because I thought I was going crazy : - ). I always used support.checkpoint.com and Im positive would always redirect to supportcenter.checkpoint.com

0 Kudos
PhoneBoy
Admin
Admin

I didn’t think support.checkpoint.com was “public” just yet…guess it is now 😉
We are redesigning our support portal and plan to launch it formally in the next few months.
The current “beta” is missing a few things, though.
Feedback is welcome.

Wolfgang
Authority
Authority

@PhoneBoy  I like the new, fresh and modern design. Search filters on the left are a good feature and it's very fast.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events