Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Authority
Authority

O365 access filtering in R80.10

Challenge description: our user general internet access is limited to proxy only or very specific "whitelisted" IPs could be accessed directly bypassing proxy, i.e O365. Up until October we were able to script simple network group with all O365 IPv4 addresses based on XML information from MS. That has been streamedlined now and many services have only FQDNs, not IP addresses and quite a few have a wild-card in front of the FQDN (there goes domain object option..). It's all good and great with R80.20 as there you have ready made updatable objects (Updatable Objects in R80.20 ) that cover exactly this. Seems like with R80.10 the only option is these dynamic objects (Dynamic Objects in R80.10 ) that you must order from CP or enabling Application Control, that requires HTTPS inspection. Which we do not want to do as it breaks some O365 functionality and generally is not recommended by MS.

Is anyone else  facing similar challenge? Any ideas what you are going to do before R80.20 is rolled out? For us it's a simple call of SW maturity and we don't believe that R80.20 is ready to be deployed in production yet.

34 Replies
Paul_Hagyard
Contributor

Has anyone tried this in an environment with no proxy? Scraping the IP addresses is fine, and the FQDN URLs could be replicated as App/URL FQDN objects or (ugly) resolved to temporary static objects, but the wildcard URLs would be a problem.

The R80.20+ updatable objects do this (somehow - any CP developers care to comment on how you solved this?!), but some of the deployment scenarios are limited (even in R80.40, no support for desktop security policy, probably not for the NAT policy).

0 Kudos
nlegastelois
Explorer

Hi,

We are using Checkpoint 80.10 with a proxy server, for now all traffic are going through the proxy but I am looking for a solution to exclude office 335 using a proxy pac file and create a rule on checkpoint to permit office365 traffic.

But I have two issues : 

Microsoft doesn't provide the full IP list and when I use the get-pacfile scripte I have only domains with wildcard.

Checkpoint 80.10 doesn't work very well with rules based on non FQDN, I already had strange issues by using them.

 

So I am lost and I don't know how to progress on this.

Could you please help me.

Thanks

0 Kudos
Paul_Hagyard
Contributor

As per my post above, there is no clear way of doing this without the updatable objects in R80.20+. Some people have reported success simply using the IP objects in the Microsoft published JSON file, but my testing showed that some Microsoft OneNote traffic did not get through using just this. I extended it a bit further using FQDN objects based on the FQDNs in the Microsoft published JSON (focussing on domains owned by Microsoft, the JSON includes things like YouTube) and this helped - but still not 100%.

With no feedback from Check Point R&D on this I am *guessing* that they scrape the FQDNs some other way - e.g. possibly from a client with some agent installed.

0 Kudos
nlegastelois
Explorer

Ok thanks so I will try to upgrade hopping that it will be better.

0 Kudos
nlegastelois
Explorer

Hello,

Could you please share with me the script you used to get only the Office365 IPs from https://endpoints.office.com/endpoints/worldwide and put them into a proxy pac ?

 

Thanks

0 Kudos