Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

R80.20 Updatable Domain Objects and CLI Commands

 

An updatable object (new in R80.20 and above) is a network object that represents an external service, such as Office 365, AWS, GEO locations and more. External services providers publish lists of IP addresses, or Domains, or both, to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect. You can use an updatable object in the Access Control policy as a source, or a destination.

I didn't find anything on the CLI commands in the documentation. Here my knowledge from the reverse engineering.

In 80.20 and above you can run the tool "domains_tool" to show domain object informations.

# domains_tool -d update.microsoft.com   =>  show which IP is associated to a domain object

# domains_tool -ip 1.2.3.4                              => search and privide a list of domains for IP

For more informations about updatable object see sk131852.

➜ CCSM Elite, CCME, CCTE
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Because there are underlying Dynamic Objects involved, you should be able to see the IPs involved.
See this thread for more details: https://community.checkpoint.com/t5/General-Management-Topics/Updateable-Objects-and-NAT/m-p/71694#M...

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
The domains_tool command is documented in the Internal notes of sk131852.
0 Kudos
Matthias_Haas
Advisor

see sk161632  for further details.

the flag -uo  allows to check if the <updatable object name> is in the policy and returns a list of the domains it holds

domains_tool -uo "Office365 Services"

Domain tool looking for domains for 'Office365 Services' and its children object s:

Domains name list for 'Exchange Services':

[1] admin.protection.outlook.com
[2] nam01.dataservice.protection.outlook.com
[3] nam01.admin.protection.outlook.com
[4] na01.safelinks.protection.outlook.com

.....

 

domains_tool -d admin.protection.outlook.com

...

Wait for the next chunk...

---------------------------------------------------------------------------------------------------
| Given Domain name: admin.protection.outlook.com FQDN: yes |
---------------------------------------------------------------------------------------------------
| IP address | sub-domain |
---------------------------------------------------------------------------------------------------
| 104.47.29.21 | no |
---------------------------------------------------------------------------------------------------
Total of 1 IP addresses found

0 Kudos
PhoneBoy
Admin
Admin
Looks like that SK was recently created, nice to see it 😊
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
0 Kudos
Markus_Kress
Contributor
Is there a possibility/tool to view the current ip addresses held by an updatable object? The domains_tool returns the list of domains held by an updatable object, but no ip addresses. So, how can we sure that a certain ip is included/held by the object.
It would be great to have an option to get the list of ip's held by the object.
0 Kudos
PhoneBoy
Admin
Admin
Because there are underlying Dynamic Objects involved, you should be able to see the IPs involved.
See this thread for more details: https://community.checkpoint.com/t5/General-Management-Topics/Updateable-Objects-and-NAT/m-p/71694#M...
0 Kudos
Markus_Kress
Contributor
Many thanks, that is exactly what I was looking for.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events