cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

R80.20 Identity Tags and Updatable Objects

This video elaborates on one the most important aspects of the Check Point Infinity architecture which is the dynamic, unified characteristics of a policy.

legacy Static policy means ticketing, many install policy operations and inherent discrepancies within the policy will ruin our operational efficiency.

However, by solving these challenges with a Dynamic approach – the security operations engineers only need to design a single policy rule for each scenario that will seamlessly control all operational aspects of an enterprise, while keeping access changes strict, yet adaptive.

 

Enjoy

13 Replies

Re: R80.20 Identity Tags and Updatable Objects

Great work  Ofir CalifRoi Caspy‌ ! 

0 Kudos

Re: R80.20 Identity Tags and Updatable Objects

This was a great presentation.  Very informative and directive.  Thank you.

0 Kudos

Re: R80.20 Identity Tags and Updatable Objects

I was trying to create a NAT hide using a dynamic object or domains objects. However, I've got an "Invalid Object '.office365.com' in Original Dst of Address Translation Rule 5. The valid objects are: host, gateway, network, address range and router."

Would I like to know If the new updatable objects can be used by NAT policy? 

Many thanks,

Felipe Tropeia

Employee+
Employee+

Re: R80.20 Identity Tags and Updatable Objects

Sorry for my late reply.

Domain objects and updatable objects are currently not supported in NAT rulebase.

This is under development though..

 

hope this helps...

 

Yair

 

0 Kudos

Re: R80.20 Identity Tags and Updatable Objects

Hello,

 

how to use Updatable Objects in legacy application HTTPS inspection. 
Can Checkpoint ensure all Microsoft Office 365 application work without any problems if https inspected?

 

Thanks

Andreas

 

Tags (1)
0 Kudos
Admin
Admin

Re: R80.20 Identity Tags and Updatable Objects

This is not currently supported.
This may be supported in an upcoming release.
0 Kudos

Re: R80.20 Identity Tags and Updatable Objects

Hi,

 

how to proceed with Microsoft cloud applcations like Azure, Skype , Power BI gateway hub and so on?
Recommendation from Microsoft is to http bypass -> result no Checkpoint blade protection anymore.

How to improve this and what is your experience with this kind of applications in your environments.

 

Thank you

Andreas

 

 

 

Tags (1)
0 Kudos
Admin
Admin

Re: R80.20 Identity Tags and Updatable Objects

Skype in particular isn't standard HTTPS, which means HTTPS Inspection won't necessarily work anyway.
HTTPS Inspection also cannot be applied to applications that use Certificate Pinning or client-side certificates.
If you need those applications to work, then they would need to be bypassed if HTTPS Inspection were used.

Azure hosts a lot of things in it, so you'd need to be more specific about what you're asking about here.
0 Kudos

Re: R80.20 Identity Tags and Updatable Objects

I am searching for a very deep and clear instruction how to implement Office 365 applications. For example I have a lot of problems with application Teams (sharing desktops) Do we really have to exclude all Office365 IPs and Office365 URLs in https inspection? What are your experiences and how do you operate Office365 in Checkpoint firewall environments?
Tags (1)
0 Kudos
Admin
Admin

Re: R80.20 Identity Tags and Updatable Objects

Skype and its descendants such as Teams do not work with HTTPS Inspection.
The IPs specific to this service must be excluded from HTTPS Inspection as a result.
At the moment, we do not provide an easy way to do this, but it is planned for R80.40.
0 Kudos
Employee+
Employee+

Re: R80.20 Identity Tags and Updatable Objects

We plan supporting updatable objects in https inspection in R80.40 which is planned for the end of this year; We are looking for EA customers with EA program to start in about 2 months.

 

Re: R80.20 Identity Tags and Updatable Objects

Dynamic objects seem largely unusable currently. TAC are always recommend HTTPS inspection to support Application Control and URL Filtering, but O365 needs to be bypassed and you can't use the updatable objects in the HTTPS inspection policy and so need to maintain manual address groups again.

Updatable objects are also not supported in the desktop policy (for endpoints managed out of a SmartCenter), making it hard to allow direct access to O365 when connected via a VPN. Guessing they are not supported for the full Endpoint client policy either?

 

0 Kudos
Admin
Admin

Re: R80.20 Identity Tags and Updatable Objects

Updatable Objects should be usable in the HTTPS Inspection policy in R80.40.
I don't know what the plan is to support this in the desktop Endpoint policy.
0 Kudos