This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2025-06-01 11:05 AM
Jump to solution

Permissions to Outlook by VS

Hello,

We need to create a rule in our FW, that allows access for Outlook mail consumption to a user with IP 10.x.x.x.x/32
We do not have APPC or URLF
We only have the instance with the blade FW running (We have a VSX environment)
The detail is that we have created a rule using as destination an 'Updatable Object', as Office 365, but the FW ignores the rule and the user can not access (does not load the main page), the only way is to change the destination by ANY, and then if it works.

Questions.

1. Updatable Object, does it work with a particular blade?
2. If you only have your VS working as FW, in what ways could we control the traffic to a particular destination, would it be using FQDN?
3. What are the domains that Outlook normally consumes so that someone can use webmail?

Thanks for your comments

0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend
‎2025-06-02 03:31 AM
In response to Matlu
Jump to solution

I just ran below command on the lab fw:

[Expert@CP-GW:0]# dynamic_objects -uo "Office365 Services"

Output is way too long to copy it here, but outlook.com is 100% there. If it does not work, maybe try add domain object as .*outlook.com and uncheck fqdn option and see if that works.

Andy

View solution in original post

0 Kudos
Wolfgang
Authority
Authority
‎2025-06-02 06:29 AM
In response to the_rock
Jump to solution

With the command shown by Andy you'll see if the updatable object will be fine. Using "Office 365 services" or "Exchange services" is the correct way. That's what updatable objects are for. Maybe something goes wrong...

Follow sk178775 - Security Gateway does not enforce a rule with Updatable Object in the Access Control Poli... to check your gateway

View solution in original post

20 Replies
Wolfgang
Authority
Authority
‎2025-06-01 01:00 PM
Jump to solution

@Matlu what‘s OUTLOOK as destination? You mean https://outlook.com or dou you mean outlook as client for an onpremise exchange or O365 exchange? 
If you use an updatable object you need a working DNS on your gateway and your client and they have to be using the same DNS servers (meaning the DNS resolution has to be the same results on the client and on the gateway)

0 Kudos
Matlu
Advisor
‎2025-06-01 08:45 PM
In response to Wolfgang
Jump to solution

Hello
Indeed, our need is that the user can access via web, to https://outlook.com, but the problem is that when I make the security rule putting as destination the Updatable Object of 'Office 365', this does not work, because the user can not access the web.
The only way is putting as destination in 'Any'.
For it to consume https://outlook.com, do you need to place other 'Updatable Objects'?
Or the correct way for this permission is another one?
We only have the FW blade available
Thanks for your comments

0 Kudos
the_rock
Legend
Legend
‎2025-06-01 08:59 PM
In response to Matlu
Jump to solution

I can check in the lab tomorrow...what is EXACT name of the updatable object?

Andy

0 Kudos
Matlu
Advisor
‎2025-06-01 09:08 PM
In response to the_rock
Jump to solution

It's Office 365
If it is not feasible to use Updatable Object for this purpose, what would be the most favorable option when you only have the FW blade available?

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 03:06 AM
In response to Matlu
Jump to solution

Let me do some lab tests soon and will update you buddy.

Andy

0 Kudos
Matlu
Advisor
‎2025-06-05 04:40 PM
In response to the_rock
Jump to solution

Hey, Bro
When working with “DOMAINS”, do you know if it is necessary to enable also the HTTPS Inspection in the GW?
The rule you created is not working, and it seems that since you created it it doesn't work.
Unfortunately I had a problem with the logs of our box and I had no way to confirm if the rule was working or not.

0 Kudos
the_rock
Legend
Legend
‎2025-06-05 04:52 PM
In response to Matlu
Jump to solution

You dont need to, only having fw blade enabled on the layer is good enough.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-06-06 06:34 PM
In response to Matlu
Jump to solution

Hey buddy,

If using domain objects is not working, where is it blocked? MAKE SURE it starts with . thats a must.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 03:31 AM
In response to Matlu
Jump to solution

I just ran below command on the lab fw:

[Expert@CP-GW:0]# dynamic_objects -uo "Office365 Services"

Output is way too long to copy it here, but outlook.com is 100% there. If it does not work, maybe try add domain object as .*outlook.com and uncheck fqdn option and see if that works.

Andy

0 Kudos
Matlu
Advisor
‎2025-06-02 06:17 AM
In response to the_rock
Jump to solution

Bro,

I'll try it today and update you

One query, the command you shared to test, I guess it should be run on the VS instance where I'm working this permission, right?

Cheers

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 06:18 AM
In response to Matlu
Jump to solution

Thats right. Btw, command works for ANY updatable object used in policy, just make sure to put EXACT name as it shows in smart console.

Andy

0 Kudos
Wolfgang
Authority
Authority
‎2025-06-02 06:29 AM
In response to the_rock
Jump to solution

With the command shown by Andy you'll see if the updatable object will be fine. Using "Office 365 services" or "Exchange services" is the correct way. That's what updatable objects are for. Maybe something goes wrong...

Follow sk178775 - Security Gateway does not enforce a rule with Updatable Object in the Access Control Poli... to check your gateway

the_rock
Legend
Legend
‎2025-06-02 06:33 AM
In response to Wolfgang
Jump to solution

Excellent sk @Wolfgang 

Thank you!

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 04:28 AM
In response to Matlu
Jump to solution

Hey bro,

See what I attached. I just tested with that object in the policy with no ssl inspection on and worked fine.

Andy

Preview file
172 KB
0 Kudos
Matlu
Advisor
‎2025-06-02 02:50 PM
In response to the_rock
Jump to solution

Hey, Andy

Your recommendation seems to have taken effect in my environment.
I have a question, does Check Point have a kind of “Debug Flow”, as it exists in other vendor like Fortinet, which helps you to know by CLI, in which rule a particular traffic is doing MATCH?

It happens to be working with your recommendation what I needed, but we have a problem with our LOG SERVERS, and we can't see the real traffic at this moment.

I want to rely on a “Packet Capture” class to help me know if the traffic is MATCHing or not with the rule we have created.

Cheers. 🙂

the_rock
Legend
Legend
‎2025-06-02 02:55 PM
In response to Matlu
Jump to solution

K, great!

If you are looking for something similar to what I attached on Fortigate (by the way, for what its worth, fortimanager is way better for that), closest I can think of is below.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

Preview file
173 KB
0 Kudos
Matlu
Advisor
‎2025-06-02 03:01 PM
In response to the_rock
Jump to solution

Interesting tool, but I have a question, in the “destination” field, how would you filter if your original destination is a domain?

Do you have to first do a NSLOOKUP on your PC, and resolve your domain as https://outlook.com, and take any IP that NSLOOKUP gives you, to put it in the command syntax?

Or is there another way?

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 03:04 PM
In response to Matlu
Jump to solution

Excellent question!

Sadly, you can NOT do domains, ONLY ip addresses. So you can do nslookup as you said and then test it that way. I dont sadly know of any other way.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-06-01 05:58 PM
Jump to solution

Hey bud,

You only need technically fw blade enabled to use updatable object. I always only use it like that on ordered layer with fw blade enabled and works just fine.

Andy

0 Kudos
_Val_
Admin
Admin
‎2025-06-02 03:24 AM
Jump to solution

I suspect you have to enable HTTPS Inspection to do this, regardless of other configuration requirements.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events