Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Authority
Authority

Updatable Object for Checkpoint services

Jump to solution

Here's a million dollar question (or maybe $5) 

what's missing on the list of Updatable Objects below? Where's Checkpoint services? Ones that are listed here sk83520 

Of course you could create FQDN objects manually or a custom application category with URLs included but that maens manual maintenance. Would be so nice to have a pre-built object that's maintained by CP themselves! Have great friday!

image.png

(1)
2 Solutions

Accepted Solutions
Micky_Michaeli
Employee
Employee

Hi,

We just released a new Updatable object for Check Point's security online services called "Check Point Services".

I'll update on the additional two new objects for Github services and Zscaler services release (targeted to be released in few weeks).

 

Regards,

Micky

 

View solution in original post

Wolfgang
Leader
Leader

Excellent! I like these updatable objects 😊

Screenshot 2021-05-27 135047.png

View solution in original post

49 Replies
Wolfgang
Leader
Leader

Yeah @Kaspars_Zibarts  this would be really nice to have.

Same for enhancement of the "HTTPS services - bypass"-object for known problematic sites from Several HTTPS web sites and applications might not work properly when HTTPS Inspection is enabled on...

not only HTTPS Inspection bypass list object for R80.40 and higher 

0 Kudos
genisis__
Advisor

I've banged on about this as well to Checkpoint, its completely stupid of Checkpoint not to include there own services as part of this.

(1)
Nadav_Feigenbla
Employee
Employee

Hello @Kaspars_Zibarts , @genisis__ et all, 
We are targeting to release updatable object for Check Point online services in a matter of several weeks.
I appreciate the product feedback!

@Wolfgang, I am taking internally with team to see which of the domains in SK can be promptly added to "optional bypass" section in object.

Regards, 
Nadav Feigenblat

0 Kudos
genisis__
Advisor

Hi Nadav,

This is really positive!  We all look forward to this.

 

One small think, not sure if your the correct person to highlight this to.  In R81 Jumbo 25 there is an issue where trusted GUI client is no longer authorised.

We have specified a subnet rather hosts as Allowed clients, which is a supported approach.  In this Jumbo a host within this subnet is not authorised to access the SMS; we resolved this by installing JHFA23 instead.

I have raised a TAC case.  TAC have requested I add host addresses.  I don't believe this is the correct approach.  The approach in my option should be:

- Acknowledge the fault

- Create a bug id

- resolve the fault

- Pull JHFA25 (or update it as its ongoing), and release a new Jumbo.

 

0 Kudos
Ofer_Barzvi
Employee
Employee

Hello @genisis__,

There is indeed a bug in JHF 25 when connecting from an IP that not explicitly defined in the Trusted Clients list and next take (planned to be released in few days) will include a fix for this.

sk173026 about the issue was created and will be released ASAP.

 

Regards,

Ofer Barzvi

0 Kudos
genisis__
Advisor

Awesome! Thanks for confirming.

b.t.w I can't find the SK?

 

0 Kudos
genisis__
Advisor

In this new update, are there plans to increase the number of updatable objects?  Example I think would be useful to have the following:

Zoom

WebEx

Cisco Meraki Cloud

Fortigate Cloud

PaloAlto Cloud

 

 

0 Kudos
Nadav_Feigenbla
Employee
Employee

The new update is targeted to release 3 common requests we get - 
1. Check Point online services 
2. Github services 
3. Zscaler services 

Regarding Zoom & Webex - both are already available as updatable objects.

Regarding Cisco/Fortinet/Palo Alto cloud - we didn't get this request till now and we can surely evaluate it for next rounds.

Nadav

genisis__
Advisor

Great! I think the other clouds would be good to encompass as these are common, equally I would hope that the Checkpoint Cloud would be integrated into the other vendor security solutions as well.

0 Kudos
Abd_S81
Participant

Perhaps also good to add status of connectivity or a version number of some sort in the Updateable Object window or last connected date/time . Actually similar to a data center object which has "test connectivity". This way it is confirmed status is green or red of the Updateable objects itself incase there is a loss of network connectivity or updateable objects are not getting updated for some reason. 

genisis__
Advisor

I like it!

0 Kudos
Paramjeet_Singh
Explorer

Hi Nadav,

Any idea from when Updatable objects for Github will be available.

Paramjeet 

0 Kudos
the_rock
Leader
Leader

Good point there : ). I will check for my own reference if this looks any different in my R81.10 lab.

0 Kudos
the_rock
Leader
Leader

Looks exactly the same on R81.10...no change. 

0 Kudos
Micky_Michaeli
Employee
Employee

Hi,

We just released a new Updatable object for Check Point's security online services called "Check Point Services".

I'll update on the additional two new objects for Github services and Zscaler services release (targeted to be released in few weeks).

 

Regards,

Micky

 

View solution in original post

_Val_
Admin
Admin

@Micky_Michaeli great news! Any SK about this?

0 Kudos
Wolfgang
Leader
Leader

Excellent! I like these updatable objects 😊

Screenshot 2021-05-27 135047.png

View solution in original post

genisis__
Advisor

Finally!!!!

 

genisis__
Advisor

Do we know when other updatable objects will be added, specially thinking of  Fortigate Cloud Services, Cisco Cloud Services, Palo Alto Cloud Services.

the_rock
Leader
Leader

That would really be awesome!

0 Kudos
_Val_
Admin
Admin

@genisis__ 

it took me a moment to understand you were actually serious here 🙂

PhoneBoy
Admin
Admin

As with any of the items we have updatable objects for, there must be a published list in an easily machine-readable format for us to have an object for it.
If the vendors provide it, we can consider adding it.

0 Kudos
genisis__
Advisor

Not sure if this will help:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD45118
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/620215/optional-changing-the-fortidns-se...

Cisco Meraki:
https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

 

If anyone else can input that would be good, but as you rightly point out, vendors should provide it, but clearly that is something between vendors.

0 Kudos
Wolfgang
Leader
Leader

I tried a rule, source SMS and destination the new updatable object "Check Point Service", services HTTP and HTTPS.

- IPS updates are not working

- ApplicationControl updates are not working

- cpinfo ... checking CK not working

- "installer download xxx" not working

- getting licenses or contract file working fine

2021-06-02 08_11_50-Bild 31.05.21 um 20.23.png

 

0 Kudos
genisis__
Advisor

Silly this to confirm (b.t.w I've not tested this new object myself), DNS resolution on client and gateway come back with same response.

Other then that, sounds like a TAC case.

0 Kudos
Micky_Michaeli
Employee
Employee

Hi @Wolfgang ,

Thanks a lot for testing the new object and sharing this information with us. Such kind of feedback is very important to ensure the object is working as expected.

The dropped traffic is to crl.globalsign.com as we can see below, which is not a domain owned by Check Point, but is needed to be accessed during the download of different packages.

crl_globalsign.PNG

Following your feedback, we understand that it's important to add this domain to "Check Point Services" instead of suggesting to add this domain manually to policy.

We will upload a new package in the next few hours. I expect this package to arrive to all customers till tomorrow.

Please update me whether the issue resolved.

 

Regards,

Micky

George_Casper
Contributor

Would love to see Checkpoint's updatable objects selectable in a network group object (to then be used within a Group with Exclusions) to allow split tunneling to just Zoom or O365.  Yes can be done by manually adding a script to pull the Microsoft or other IP ranges, but why should we have to manually duplicate the feature when Checkpoint has what we need in Checkpoint's maintained updatable objects. Just add it the rest of the logic to allow them in a group.  Should be one stop shop.

0 Kudos
Micky_Michaeli
Employee
Employee

Hi @George_Casper,

Thanks for your feedback.

Better late than never - starting R81.10, updatable objects can be used in network group.

R81.10 MGMT can manage R80.20 (or above) GWs and add updatable objects to network group.

Regards,
Micky

0 Kudos
PhoneBoy
Admin
Admin

But will we be able use that group in something like the Encryption Domain, which generally works with fixed network/host objects?

0 Kudos