cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Dynamic Objects in R80.10

Hi All,

I came to know the feature of R80.10 that we can make the dynamic objects for Microsoft services and others. 

Prerequisite for both Mgmt and Gateway : R80.10 with Take 24 HFA.

Configuration

  1. In SmartConsole, go to the Objects Explorer (in the upper right corner).
  2. Click on the .. button - go to the More menu - go to the Network Object menu - go to the Dynamic Objects menu - click on the Dynamic Object...:

 

  1. Name the dynamic object with the specific Office365 service name as specified in the table below (Important Note: The names are case sensitive).

Description of Office 365 service

Name of Check Point Dynamic Object

Name in Microsoft feed

All Office 365 services

CP_MS_Office365

-

Exchange Federation

CP_MS_EX-Fed

EX-Fed

Exchange Online

CP_MS_EXO

EXO

Exchange Online Protection

CP_MS_EOP

EOP

Microsoft Digital Note

CP_MS_OneNote

OneNote

Microsoft Teams

CP_MS_Teams

Teams

Office for iPad

CP_MS_OfficeiPad

OfficeiPad

Office Mobile

CP_MS_OfficeMobile

OfficeMobile

Office Online

CP_MS_WAC

WAC

Office 365 Authentication and Identity

CP_MS_Identity

Identity

Office 365 Certificate Revocation Lists

CP_MS_CRLs

CRLs

Office 365 Portal and shared

CP_MS_o365

o365

Office 365 ProPlus

CP_MS_ProPlus

ProPlus

Office 365 Video and Microsoft Streams

CP_MS_Office365Video

Office365Video

Office 365 Yammer

CP_MS_Yammer

Yammer

Office 365 Sway

CP_MS_Sway

Sway

Remote Connectivity Analyzer

CP_MS_RCA

RCA

SharePoint Online and OneDrive for Business

CP_MS_SPO

SPO

Skype for Business Online

CP_MS_LYO

LYO

Task Management for Teams

CP_MS_Planner

Planner

  1. Create the relevant access policy rule.

Publish the session and install the policy.

26 Replies

Re: Dynamic Objects in R80.10

Are these really defined automatically?  Values for dynamic objects are defined on gateways, and while this could be done with a script I can't find any documentation or announcement about it being provided by Checkpoint (and I would expect to find something in the release notes).  Has someone at your site written a script to create these objects?

I don't have access to an R80.10 gateway to check

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

On my gateways, these objects are not defined yet (I'm running a later JHF). 

I know that there is a plan to make something like this available soon, as has been discussed in several threads on CheckMates.

I will see if I can get an update on the current status of this.

0 Kudos

Re: Dynamic Objects in R80.10

Hi,

Actually We have asked Checkpoint for this type of scenarios as one of customer is looking. We got the above answer. Still sk is in internal and not published yet. Below is the information about sk.

Solution ID

sk119562

Product

Security Gateway

Version

R80.10

OS

Gaia

Platform / Model

All

Access Level

Internal

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

That's because it is currently in private EA.

If you're interested, please contact your local Check Point SE.

0 Kudos

Re: Dynamic Objects in R80.10

very usefull feature. Is this working in R80.10?

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

Yes, but it requires a special fix that's not generally available.

As noted above, please contact your local Check Point SE.

Re: Dynamic Objects in R80.10

hi All.

Is this URL Forwarding?

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

What do you mean by URL Forwarding?

0 Kudos

Re: Dynamic Objects in R80.10

Hi

Have found out the following recently when attempting to use dynamic objects for Office 365

Currently dynamic objects are only supported in R80.10 JHF Take 121 with an additional hot-fix that adds support for the Check Point feed.

The hot-fix is available for the current JHF (Take 154), but needs a RFE to be raised so R&D will test and support - which is absolute rubbish given the vulnerabilities/features that have been fixed addressed from Take 121 to 154

TAC advise that you upgrade to R80.20 (again - a rubbish response) 

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

The internal SK that discusses this hotfix says you should be able to get it for R80.10 JHF 154 as of a few days ago.

Please PM me the SR you opened with TAC on this.

0 Kudos

Re: Dynamic Objects in R80.10

 

 

Do updatable objects supported also on later HF (I am running with JHF Take 189)?

0 Kudos

Re: Dynamic Objects in R80.10

Hi Damon

The SR is 3-0633516431, but I think I may have to go back and edit my post (again). It may be the case that we requested the hotfix for Take 154 to enable the dynamic object feeds and that is why it was released a few days ago, but we are running an R80.10 VSX environment. So our issue is that it can be installed but it hasn’t been tested with VSX so there is no support.

Any help is appreciated.

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

Be careful when you use email to reply as it included your email signature with your full contact details. Smiley Happy

The SK seems to indicate different information, and I'll have to investigate further.

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

Just to clarify, there are two functions provided by this hotfix:

  • Dynamic Objects for Office 365 in the Access Policy, which is provided natively in R80.20 (see: Microsoft Office 365 objects as Network Objects in R80.20).
  • Dynamic Objects for Office 365 in the HTTPS Inspection policy, which is NOT in R80.20 and requires a special hotfix to achieve in R80.10. We do plan to provide this in the product natively (post R80.20) thru allowing use of Updatable Objects in the HTTPS Inspection policy, but the timelines for this have not been finalized.

To further clarify, this particular hotfix is also a customer-release, meaning it was built and tested for a specific customer environment.

We do make these available to other customers through your local Check Point office only if they meet the same requirements.

0 Kudos

Re: Dynamic Objects in R80.10

TAC advise that you upgrade to R80.20 (again - a rubbish response) 

To add to Dameon's point, in this case, TAC had a valid point!

In R80.20 there's a solution that is easier to use, reduces time maintaining it by end users, and in maintrain - therefore you will receive all future stability fixes unlike the special dynamic object release of R80.10. 

Even if you don't have plans to migrate to R80.20 right now, I recommend that you at least prepare and experiment with a lab environment or the Cloud Demo Mode.

See more benefits of R80.20 here: Check Point R80.20 Demo TechTalk and Q&A 

ADM_DB
Ivory

Re: Dynamic Objects in R80.10

Thank you for clarification
can we use this as an object in "vpn domain" networks group in order to route all O365 traffic through the vpn tunnel ( split tunnel )?

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

Neither of these solutions provide this functionality.

That said, I believe you can leverage route-based VPNs for this.

Re: Dynamic Objects in R80.10

Is there a reason our updatable object list does not include that specific list of o365 services/servers?

Afaik they are published on MS' page of domains/IP-addresses.

Running r80.20 mgmt with take 33 jumbo.

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

As the list comes from the cloud, everyone should see the same thing.

What do you see?

0 Kudos

Re: Dynamic Objects in R80.10

I agree, I should be seeing the same list. We would like to use "Microsoft Teams Servers" from Tomers list for instance. Although a lot can change in 3months, since Teams exist in MS' feed I'm surprised it's not in CP's list (anymore):

updatable objects

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

Depending on where I look, I get different results.

In Demo Mode, I see everything:

On my own R80.20 Management, I see the same list you do.

It's probably worth a TAC case.

Re: Dynamic Objects in R80.10

By all means let us know if you open the TAC case. I can safely say that the demo mode is not what I have in the lab or what I see when I login at R80.20 firewalls of customers.

0 Kudos

Re: Dynamic Objects in R80.10

Thanks for feedback Dameon Welch-Abernathy‌ & Hugo van der Kooij‌.

I've created 6-0001542837, although late in the day so I didn't have a chance to add anything until the day was over.

0 Kudos

Re: Dynamic Objects in R80.10


@David_Brodin wrote:

Thanks for feedback Dameon Welch-Abernathy‌ & Hugo van der Kooij‌.

I've created 6-0001542837, although late in the day so I didn't have a chance to add anything until the day was over.


A bit late, just remembered this topic 🙂

I received an official statement from R&D:

Microsoft O365 has changed their feed and their object structure. This is why the objects in the picker were changed.
R80.20 Demo mode shows the old O365 packages and does not actually connect to the feed.
That is why we see a different state in the Demo. 

 

0 Kudos
DBC
Ivory

Re: Dynamic Objects in R80.10

So is Dynamic Objects in R80.10 change its name in R80.20 to Updatable objects?

from what was published (and it's not that much) they have the same fundamental description just with different name.

is that correct?

0 Kudos
Admin
Admin

Re: Dynamic Objects in R80.10

The main difference between the objects are:

  • Dynamic Objects are updated from the local gateway using the dynamic_objects CLI command
  • Updatable Objects are updated from the Check Point Cloud 

They are different object types.

0 Kudos