This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vas
Contributor
‎2024-01-14 06:47 PM
Jump to solution

Allowing O365 services via Checkpoint

Hi There,

We're in the process of forwarding an Office365 via Checkpoint R81.10 (instead of a proxy) and would like to seek expertise using the O365 Updatable Objects in our environment.

I'm aware that since R80.20, Checkpoint supports 'updatable objects' for various vendors, but I've got some questions about this.

1. Does the checkpoint require SSL inspection to be configured to detect and continue forwarding the O365 traffic?

2. Does it also require URLF? Going through the community forums, it's been mentioned that Checkpoint doesn't support updatable objects for MS Office, which include wildcards.

3. As per SK110679-Application Control support for Office 365, does it require any app control for better usage and performance?

4. Any best practices to follow (based on experience) or any known issues?

So, I'm trying to understand: would updatable objects themselves suffice, or does it require SSL inspection, URLF, and application control?

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2024-01-14 06:56 PM
Jump to solution

You dont need ssl inspection enabled in order to use updatable objects, but considering that literally 99% of the sites worldwide are https now days, it makes sense to have it on. To use wildcards for custom app objects (not UO), you do need urlf blade enabled, but if you just need updatable objects, I dont believe you do have to have blade enabled, but I will confirm in the lab tomorrow.

Best,

Andy

View solution in original post

0 Kudos
13 Replies
the_rock
Legend
Legend
‎2024-01-14 06:56 PM
Jump to solution

You dont need ssl inspection enabled in order to use updatable objects, but considering that literally 99% of the sites worldwide are https now days, it makes sense to have it on. To use wildcards for custom app objects (not UO), you do need urlf blade enabled, but if you just need updatable objects, I dont believe you do have to have blade enabled, but I will confirm in the lab tomorrow.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-01-14 07:01 PM
Jump to solution

To add to my 1st reply, based on below, I dont see any special requirements to use updatable objects, but will definitely verify in the lan Monday.

Have a great night.

Best,

Andy

https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8...

vas
Contributor
‎2024-01-14 07:06 PM
In response to the_rock
Jump to solution

Hi @the_rock 

Many thanks for the reply and getting it tested on your lab. Much appreciated.

AFAIK, MS doesn't recommend doing HTTPS inspection for the O365 traffic. As you mentioned, since most of the traffic has become SSL now, I'm trying to know, would updatable objects itself suffice.

And, per SK110679-Application Control support for Office 365, does it also require any app control (in addition to updatable objects) for better usage and performance?

0 Kudos
the_rock
Legend
Legend
‎2024-01-14 07:10 PM
In response to vas
Jump to solution

I would say, regardless of circumstances, urlf+appc should be ebabled anyway. I can tell you, this is not only on CP, but even on Fortifates and PAN, if you have ssl inspection enabled as well, you will see IPS blade be way more beneficial.

Best,

Andy

0 Kudos
vas
Contributor
‎2024-01-14 07:18 PM
In response to the_rock
Jump to solution

Hi Mate, I agree. My scenario is to send only O365 via firewall and rest all via proxy where SSL inspection is happening.

As you know, MS O365 is a critical services where any downtime isn't entertained. Once tested in your lab, can you please share your insights.

Thanks for your help.

0 Kudos
the_rock
Legend
Legend
‎2024-01-14 07:21 PM
In response to vas
Jump to solution

Yup, just tested it, worked fine without inspection, urlf or appc. I only had ips, vpn and monitoring blades on. Personally, in production, I ALWAYS advise people to at least have urlf and appc enabled. Just my suggestion mate, I dont force anyone to do anything, its a free country : - )

Best,

Andy

the_rock
Legend
Legend
‎2024-01-14 07:19 PM
In response to vas
Jump to solution

K, so just tested it in the lab and you can add any updatable object, even if you dont have urlf or appc enabled. BUT, again, as the sk says, to function 100% properly, you should even have ssl inspection on. yes, it will work without those blades, but you wont see full benefits of it at all.

Best,

Andy

vas
Contributor
‎2024-01-21 08:20 AM
In response to the_rock
Jump to solution

Hi @the_rock 

Thanks and apologies for the late reply. I have seen some threads on updatable objects which doesn't support wildcard FQDN objects.

As O365 traffic also contains wildcard FQDNs (on non-web ports), it can’t traverse via URLF layer and hence it's necessary to include every URL/domain that the site is trying to load as part of the page. If we proceed with the FQDN object, it's very challenging as it requires each and every domain to be added manually.

Any suggestions on how to get this accomplished? 

0 Kudos
the_rock
Legend
Legend
‎2024-01-21 08:24 AM
In response to vas
Jump to solution

The custom app/site object lets you import CSV file into it, so thats one option. Yes, I do believe you are correct in saying that UOs dont support wildcards.

Ostencibly, even if thats the case, custom site objects should work. I dont know any better suggestion, but you can confirm with TAC 100%, see what they have to say.

Best,

Andy

0 Kudos
vas
Contributor
‎2024-01-21 08:29 AM
In response to the_rock
Jump to solution

Thanks. Sure, will log a TAC case.

As far as I know, custom app/site is for the URLF and APP control which is for http/https  and not for non-web services as MS also have IMAP, SMTP associated with it.

While I raise a TAC case, can you please confirm on the above...?

0 Kudos
the_rock
Legend
Legend
‎2024-01-21 08:31 AM
In response to vas
Jump to solution

Correct.

0 Kudos
the_rock
Legend
Legend
‎2024-01-21 01:12 PM
In response to vas
Jump to solution

Keep us posted what TAC says, because this can definitely help others and its really important subject, for sure.

Best,

Andy

0 Kudos
sloddo
Explorer
2 weeks ago
In response to vas
Jump to solution

Any update on this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events