Good morning,
Here's our situation. We'd upgraded from R77.30 to R80.10 a couple months ago to take advantage of new features and to implement HTTPS Inspection, which we'd been told would be a more stable experience. Once we'd upgraded and during testing of HTTPS Inspection, we found our general O365 experience to be lacking. Microsoft recommends not to inspect that traffic, to have the cleanest connection between client and their servers.
We were going to apply the SK119562 Hotfix to our R80.10 Take 112 environment to take advantage of the Dynamic Objects, but ran into issues. Lo and behold, R80.20 went GA, so we changed our tact to upgrading to R80.20. We found the Updatable Objects for O365/Azure, and thought we could use those in our Bypass Rules. We've been told that those can only be used in Access Policies. Which is a shame, as this is exactly what we need.
1. Should we just use the Dynamic Objects in the Destination column in HTTPS Inspection rules, forgetting about these new "Updatable Objects"?
Unfortunately we have tried employing these Dynamic Objects in R80.20 and get this error.
2. Does R80.20 just work better with Office 365 and there is no need for a specific Bypass Rule?
3. Any other suggestions/solutions?
I cannot believe that this would not have been thought about during the EA period for R80.20, especially as this SK119562 Hotfix was made available.
Regards,
Eric
I assume you mean clients behind your gateway 
If you're using HTTPS Inspection: How to allow Office 365 services in Application Control R77.30 and above
If you're not using HTTPS Inspection but using R80.20, you can allow access to the Office 365 Services in your Access Policy:
Yes, I meant clients behind the GW that are connecting to O365, thanks
So, for now, if using HTTPS inspection, use App Control and don't try to bypass HTTPS (even though MS says to do so).
In the future, if Updatable objects can be used in HTTPS bypass rules, it may make sense to then allow the updatable objects in access control policy, and bypass HTTPS inspection for those same objects.
Thanks, this is helpful info.
I find importing gazillions of IPs crazy, impractical and really frustrating for end-users where every day something stops to work because M$ changed their IP range or because of the way HTTPS-I is currently implemented.
So, CheckPoint, please come up with an easy-to-deploy solution for this for all firmware supporting HTTPS-I (not only R80.20). I know this is partly not a vendor problem but it can only be properly solved by you.
Being polite I will skip my comments on the way M$ forces FW admins to compromise security for their online services to work.
Hi We have the same issue. we are currently doing the bypass by creating a custom Office365 Application/site.
It contains 6 urls and seems to have solve the main problem for us.
currently we have in the list
I hope this helps.
| User | Count |
|---|---|
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
