This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Yair_Herling
Employee+
Employee+
‎2019-01-07 05:33 AM

R80.20 Identity Tags and Updatable Objects

This video elaborates on one the most important aspects of the Check Point Infinity architecture which is the dynamic, unified characteristics of a policy.

legacy Static policy means ticketing, many install policy operations and inherent discrepancies within the policy will ruin our operational efficiency.

However, by solving these challenges with a Dynamic approach – the security operations engineers only need to design a single policy rule for each scenario that will seamlessly control all operational aspects of an enterprise, while keeping access changes strict, yet adaptive.

 

Enjoy

Reply
13 Replies
Tomer_Sole
Mod
Mod
‎2019-01-07 10:22 AM

Great work  Ofir CalifRoi Caspy‌ ! 

0 Kudos
Reply
John_Fulater
Contributor
‎2019-01-10 08:30 PM

This was a great presentation.  Very informative and directive.  Thank you.

0 Kudos
Reply
Felipe_Tropeia
Explorer
‎2019-01-18 06:04 AM

I was trying to create a NAT hide using a dynamic object or domains objects. However, I've got an "Invalid Object '.office365.com' in Original Dst of Address Translation Rule 5. The valid objects are: host, gateway, network, address range and router."

Would I like to know If the new updatable objects can be used by NAT policy? 

Many thanks,

Felipe Tropeia

Reply
Yair_Herling
Employee+
Employee+
‎2019-03-17 01:32 AM
In response to Felipe_Tropeia

Sorry for my late reply.

Domain objects and updatable objects are currently not supported in NAT rulebase.

This is under development though..

 

hope this helps...

 

Yair

 

0 Kudos
Reply
Andreas_Hofmann
Participant
‎2019-07-27 01:17 AM

Hello,

 

how to use Updatable Objects in legacy application HTTPS inspection. 
Can Checkpoint ensure all Microsoft Office 365 application work without any problems if https inspected?

 

Thanks

Andreas

 

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-07-27 03:15 PM
In response to Andreas_Hofmann

This is not currently supported.
This may be supported in an upcoming release.
0 Kudos
Reply
Andreas_Hofmann
Participant
‎2019-07-28 01:21 AM
In response to PhoneBoy

Hi,

 

how to proceed with Microsoft cloud applcations like Azure, Skype , Power BI gateway hub and so on?
Recommendation from Microsoft is to http bypass -> result no Checkpoint blade protection anymore.

How to improve this and what is your experience with this kind of applications in your environments.

 

Thank you

Andreas

 

 

 

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-07-28 06:08 AM
In response to Andreas_Hofmann

Skype in particular isn't standard HTTPS, which means HTTPS Inspection won't necessarily work anyway.
HTTPS Inspection also cannot be applied to applications that use Certificate Pinning or client-side certificates.
If you need those applications to work, then they would need to be bypassed if HTTPS Inspection were used.

Azure hosts a lot of things in it, so you'd need to be more specific about what you're asking about here.
0 Kudos
Reply
Andreas_Hofmann
Participant
‎2019-08-04 01:46 AM
In response to PhoneBoy

I am searching for a very deep and clear instruction how to implement Office 365 applications. For example I have a lot of problems with application Teams (sharing desktops) Do we really have to exclude all Office365 IPs and Office365 URLs in https inspection? What are your experiences and how do you operate Office365 in Checkpoint firewall environments?
0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-08-04 10:11 PM
In response to Andreas_Hofmann

Skype and its descendants such as Teams do not work with HTTPS Inspection.
The IPs specific to this service must be excluded from HTTPS Inspection as a result.
At the moment, we do not provide an easy way to do this, but it is planned for R80.40.
0 Kudos
Reply
Gera_Dorfman
Employee+
Employee+
‎2019-07-28 12:45 PM
In response to PhoneBoy

We plan supporting updatable objects in https inspection in R80.40 which is planned for the end of this year; We are looking for EA customers with EA program to start in about 2 months.

 

Reply
Paul_Hagyard
Contributor
‎2019-10-01 02:51 PM
In response to PhoneBoy

Dynamic objects seem largely unusable currently. TAC are always recommend HTTPS inspection to support Application Control and URL Filtering, but O365 needs to be bypassed and you can't use the updatable objects in the HTTPS inspection policy and so need to maintain manual address groups again.

Updatable objects are also not supported in the desktop policy (for endpoints managed out of a SmartCenter), making it hard to allow direct access to O365 when connected via a VPN. Guessing they are not supported for the full Endpoint client policy either?

 

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-10-01 03:29 PM
In response to Paul_Hagyard

Updatable Objects should be usable in the HTTPS Inspection policy in R80.40.
I don't know what the plan is to support this in the desktop Endpoint policy.
0 Kudos
Reply