This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2023-02-02 05:40 AM
Jump to solution

Supportcenter now Geo-blocked

In case anyone else runs into this:

We allow "Check Point Services" as a destination for our support admins. This morning, when attempting to access supportcenter.checkpoint.com, I could not. Checking the logs, I found that the destination 194.29.39.55 was being dropped by our geo-blocking policy. We block Israel, among many other countries, in our geo-blocking policy after the rule which allows "Check Point Services". The IP does not resolve to a domain name, but is owned by Check Point.

Not sure how we are going to handle this. Best case scenario is that Check Point updates the updatable object "Check Point Services" to include this IP. I don't really want to open "Israel" for all clients.

Dave

1 Solution

Accepted Solutions
Micky_Michaeli
Employee
Employee
‎2023-02-02 09:45 AM
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson , @David_C1 

The domain supportcenter.checkpoint.com is included in "Check Point Services" object.

We use domains in this UO instead of set of IPs as the domains are resolved to different IPs from time to time according to DNS servers.
For example, currently supportcenter.checkpoint.com is resolved to a different IP:
Name: supportcenter.g04.checkpoint.com
Address: 194.29.39.18
Aliases: supportcenter.checkpoint.com

We have DNS Passive Learning (sk161612) to improve the matching of Domain objects (the content we have in Check Point Services object) - please review it as it can solve the issue when a domain is resolved suddenly to a 'new' IP before the GW resolved it and saved it on its cache.

Thanks,
Micky

View solution in original post

20 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-02-02 06:00 AM
Jump to solution

You could open the parent subnet that contains it as an option rather than the whole country in the interim.

@Micky_Michaeli is this something that is intended to be covered by the existing updatable object?

CCSM R77/R80/ELITE
David_C1
Advisor
‎2023-02-02 06:35 AM
In response to Chris_Atkinson
Jump to solution

Yes, I could and very well may do this as a fix, however, I'd like to think Check Point could keep the updatable object for their own services up to date.

Dave

Micky_Michaeli
Employee
Employee
‎2023-02-02 09:45 AM
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson , @David_C1 

The domain supportcenter.checkpoint.com is included in "Check Point Services" object.

We use domains in this UO instead of set of IPs as the domains are resolved to different IPs from time to time according to DNS servers.
For example, currently supportcenter.checkpoint.com is resolved to a different IP:
Name: supportcenter.g04.checkpoint.com
Address: 194.29.39.18
Aliases: supportcenter.checkpoint.com

We have DNS Passive Learning (sk161612) to improve the matching of Domain objects (the content we have in Check Point Services object) - please review it as it can solve the issue when a domain is resolved suddenly to a 'new' IP before the GW resolved it and saved it on its cache.

Thanks,
Micky

the_rock
MVP Gold
MVP Gold
‎2023-02-02 10:02 AM
In response to Micky_Michaeli
Jump to solution

Excellent explanation, thank you @Micky_Michaeli 

the_rock
MVP Gold
MVP Gold
‎2023-02-02 06:16 AM
Jump to solution

Hm...never really ran into that sort of issue, but I always tell every customer to never block country of Israel for obvious reasons. Now, if you have to do that, logically, as long as the rule allowing CP services is ABOVE geo rule blocking Israel, dont see why that would be a problem. I assume that that rule has worked fine up until now?

0 Kudos
David_C1
Advisor
‎2023-02-02 06:34 AM
In response to the_rock
Jump to solution

Access to the support site and all other Check Point sites has worked fine up until today, with one exception, catalog.checkpoint.com always has been geo-blocked, as it must not be included in the "Check Point Services" updatable object.

the_rock
MVP Gold
MVP Gold
‎2023-02-02 06:38 AM
In response to David_C1
Jump to solution

Correct, I dont see catalog site as per link below I pointed out.

How to verify that Security Gateway and/or Security Management Server can access Check Point servers...

Screenshot_1.png

0 Kudos
David_C1
Advisor
‎2023-02-02 06:46 AM
In response to the_rock
Jump to solution

Based on this, I am understanding that the updatable object "Check Point Services" includes only the hostnames/domains listed in sk83520? supportcenter.checkpoint.com is not listed here either, yet this was allowed by "Check Point Services" until this morning.

According to the revision history, sk83520 has not been updated since May 29, 2017.

Dave

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-02-02 06:48 AM
In response to David_C1
Jump to solution

That, Im not sure whatsoever, so I will let someone who works for Check Point confirm. Reading the sk, its not 100% clear to me and I dont want to assume anything.

Andy

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-02-02 06:50 AM
In response to David_C1
Jump to solution

You can see the raw list here as is:

https://secureupdates.checkpoint.com/cp_services/V1_0_0/gw/cp_services_uo

CCSM R77/R80/ELITE
David_C1
Advisor
‎2023-02-02 07:05 AM
In response to Chris_Atkinson
Jump to solution

Thank you, I will bookmark that. Any chance we could get "catalog.checkpoint.com" added to the list?

Also, I was just able to connect to supportcenter.checkpoint.com...I think my mistake was trying to connect to support.checkpoint.com. I cannot connect to support.checkpoint.com with our geo-blocking policy in place, I can connect to it from a source not subject to our geo-blocking policies. support.checkpoint.com resolves to 194.29.39.55, which is what I saw getting geo-blocked in my logs.

Dave

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-02-02 07:11 AM
In response to David_C1
Jump to solution

Based on maxmind.com, which CP uses by the way for their Geo database, it shows that IP belongs to country of Israel, which in your case is blocked, but since support.checkpoint.com is not included in the list Chris sent, it makes sense why its not working, but it is puzzling how come it did work for you up until today though.

Andy

0 Kudos
David_C1
Advisor
‎2023-02-02 07:17 AM
In response to the_rock
Jump to solution

I think this was my mistake (see above). supportcenter.checkpoint.com was and is working, support.checkpoint.com is not, which makes sense based on the list Chris sent.

Ideally, both support.checkpoint.com and catalog.checkpoint.com would be added to the list of URLs contained in the "Check Point Services" updatable object.

Dave

(1)
the_rock
MVP Gold
MVP Gold
‎2023-02-02 07:18 AM
In response to David_C1
Jump to solution

Ok, got it, see what you mean.

Cheers,

Andy

0 Kudos
Micky_Michaeli
Employee
Employee
‎2023-02-02 09:55 AM
In response to David_C1
Jump to solution

Hi @David_C1,

I will ask the relevant R&D team to add these 2 missing domains to the UO object.

Thanks,
Micky

David_C1
Advisor
‎2023-02-02 09:58 AM
In response to Micky_Michaeli
Jump to solution

Excellent, thank you.

Dave

Wolfgang
MVP Gold
MVP Gold
‎2023-02-02 12:30 PM
In response to David_C1
Jump to solution

Something strange…. support.checkpoint.com sometime working sometimes not. Not behind any Check Point device.

https://support.checkpoint.com looks like this:

BF346B5A-A376-48A2-9A26-C8EA43B12AF7.jpeg 

 

 

 

 

 

and a little bit different https://supportcenter.checkpoint.com :

1D3ED13F-83DD-45BC-9895-97E66522CF24.jpeg

I thought I used support.checkpoint.com over the last 20 years.

the_rock
MVP Gold
MVP Gold
‎2023-02-02 12:38 PM
In response to Wolfgang
Jump to solution

Im so glad you pointed this out, because I thought I was going crazy : - ). I always used support.checkpoint.com and Im positive would always redirect to supportcenter.checkpoint.com

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-02 10:55 PM
In response to Wolfgang
Jump to solution

I didn’t think support.checkpoint.com was “public” just yet…guess it is now 😉
We are redesigning our support portal and plan to launch it formally in the next few months.
The current “beta” is missing a few things, though.
Feedback is welcome.

Wolfgang
MVP Gold
MVP Gold
‎2023-02-02 11:41 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy  I like the new, fresh and modern design. Search filters on the left are a good feature and it's very fast.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events