Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

updatable objects with wildcard entries

Jump to solution

Hi,
we are using updatable objects in our o365 policy.
The updatable object "Office Worldwide Services" includes some Wildcard Domain entries, e.g. "*.msappproxy.net". We figured out, requests which should match these wildcards do not work.
Should they work? - We assume that the gateway does a dns lookup for every fqdn which is listed in the updatable object and cashs it. For wildcard entries it is not possible. Are we Right?
Can someone explain how the updatable object mechanism works? Or is there a good article in the knowledgebase?

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

Hi @Jonathan Thanks for your clarification. I had focused on "Can someone explain how the updatable object mechanism works?"

 

Updatable objects should not have a negative impact on performance like Non-FQDN Domain Objects.   --- We should not consider them equivalents. 

If you see degredation, or performance impact when using them, contact TAC.

 

Regardless of the content of the actual Updatable Object, Whether IP's or Domains;   Fortunately for us, from the FW/Traffic perspective, this should not have any difference in behavior.  --- If you see any issues that would constitute "Updatable Objects do not have consistent Matching behavior when used in Rulebase" -- A TAC case should be raised with a similar title.

View solution in original post

0 Kudos
Reply
10 Replies
Highlighted
Contributor

Same question here - I'm thinking about using updatable object for Zoom, but their list contains *.zoom.us.

I know that it is advised NOT to use non-FQDN Objects in Checkpoint R80.20 since every packet passing the firewall will be checked for reversed-dns lookup and can choke the firewall.

Would that also be the case with updatable objects when wildcard is present?

I couldn't find any answer to this in the links links G_W_Albrecht provided.

 

Thanks

 

Highlighted
Contributor

Thanks for those links G_W_Albrecht, I've already read them but still don't have answer for my question - 

Checkpoint says these updateable objects contains list of IP addresses and DOMAINS. I've checked Zoom's list and it contains *.zoom.us.

Will the gateway treat this the same as a non-FQDN object and try to reverse-lookup for it on every packet?

Highlighted
Employee+
Employee+

Hi Markus_Kress,

I think you are looking for Domain Objects. These work like you mention, where the Gateway does a dns lookup for every FQDN, then caches it.

Updatable Objects work slightly differently, but on the same premise.

Some Services do not function with Domain objects, for various reasons, and we require the Updatable Objects.

These are a dynamic list of IP's that is provided as a service from Check Point. (No special licensing required)

We work with Vendors such as Zoom, Microsoft, and new vendors all the time.

They provide a list of IP's and Domains to us. -- We provide this to you, in the form of an Updatable Object.

We can see in sk163633 -- Updatable Objects for Zoom Services

"Zoom publishes a list of IP ranges and domains which are dynamically updated."

 

 

If more granular control is required, you will need to use Domain Objects, or reach out to your local SE, or TAC if this doesn't suit your needs.

0 Kudos
Reply
Highlighted
Contributor

Hi Stephen,

Thanks for reply, this is all very clear, but still you did not address both Markus_Kress and my issue.

Checkpoint recommends not to use Domain Objects in a Non-FQDN setting, which as I understand is kinda' the equivalent to a wildcard domain (*.zoom.us).

Updatable Objects also relay on list of domains which include wildcard.

We want to know how the gateway addresses these wildcards domain and can they also have negative impact on performance like Non-FQDN Domain Objects do?

0 Kudos
Reply
Highlighted
Champion
Champion

This is not true - Updatable Objects are a dynamic list of IP's that is provided as a service from Check Point. So there are no wildcards and these are not Domain objects - it is always a list of IPs 😎

I do not understand why this is so unclear although sk131852sk163633 and sk135572 does explain that in detail ?

0 Kudos
Reply
Highlighted
Contributor

Well, I quote this from the links you've sent:

"External services providers publish lists of IP addresses, or Domains, or both,"

"This Zoom Updatable Object matches a list of IP addresses and domains"

"Each Office 365 Updatable Object matches a list of IP addresses and Domains"

And if you follow the link from Checkpoint's Import dialog box, to Zoom's firewall setting webpage you can see even see that *.zoom.us is part of the list.

This was also the original question of Markus_Kress regarding Office365.

0 Kudos
Reply
Highlighted
Admin
Admin

In this context, "domain" means FQDN. @G_W_Albrecht is correct, Updatable objects contain a list of IP addresses. If you experience any connectivity issue with updatable objects, please raise those issues with TAC

0 Kudos
Reply
Highlighted
Employee+
Employee+

Hi @Jonathan Thanks for your clarification. I had focused on "Can someone explain how the updatable object mechanism works?"

 

Updatable objects should not have a negative impact on performance like Non-FQDN Domain Objects.   --- We should not consider them equivalents. 

If you see degredation, or performance impact when using them, contact TAC.

 

Regardless of the content of the actual Updatable Object, Whether IP's or Domains;   Fortunately for us, from the FW/Traffic perspective, this should not have any difference in behavior.  --- If you see any issues that would constitute "Updatable Objects do not have consistent Matching behavior when used in Rulebase" -- A TAC case should be raised with a similar title.

View solution in original post

0 Kudos
Reply