Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ConorOB
Explorer

Split tunnel - URL resolution "IPaddressFeed2CheckPoint" script for windows updates

Hi All, 

 

Requirement :: 

Split tunneling for windows updates. 

 

Background :: 

Customer using exclusion group for Split Tunneling with address ranges as per sk167000 for o365, windows updates are new requirement. There does not appear to be a Microsoft official feed for domains/address ranges as with o365 & updatable/FQDN objects are unsupported for encryption domain related configuration as per @PhoneBoy's comment in thread https://community.checkpoint.com/t5/Remote-Access-VPN/Split-tunnel-to-Microsoft-Office-365-YouTube-o...

In sk167000 point #11 outlines "Automate Office 365 address updates by importing IP Address objects directly from Microsoft’s public feed using the IPaddressFeed2CheckPoint script from our Community Github page."

From script using feed :: 

#Download of Feed
 curl_cli --insecure 'https://endpoints.office.com/endpoints/worldwide?noipv6&ClientRequestId=b10c5ed1-bad1-445f-b386-b919...' | jq '.[] | select(.category=="Optimize")' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}' > $v_helper_o365_ipv4cidr

 

Query ::

Could this be used to resolve domains related to Windows Updates to IPs & populate an exclusion group to enable split tunneling in this case as there doesn't appear to be a feed to pull domains/address ranges from?

Is there another known solution for this requirement as possibly a common ask? 

 

Please let me know what you think here.

Thanks

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

First of all, I think the requirement to "route all traffic" is...untenable for a variety of reasons.
A better approach would be to have the appropriate controls on the Endpoint (Harmony Endpoint/Browse) so routing the traffic back to a headend isn't necessary.

Having said that, I imagine this code could (with modifications, likely) also work for the purpose of creating an encryption domain.
The main thing is that the output must be IP addresses, since you have to create regular network/host objects.

0 Kudos