- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Updatable Object for Checkpoint services
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updatable Object for Checkpoint services
Here's a million dollar question (or maybe $5)
what's missing on the list of Updatable Objects below? Where's Checkpoint services? Ones that are listed here sk83520
Of course you could create FQDN objects manually or a custom application category with URLs included but that maens manual maintenance. Would be so nice to have a pre-built object that's maintained by CP themselves! Have great friday!
- Tags:
- kz
- updatable object
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We just released a new Updatable object for Check Point's security online services called "Check Point Services".
I'll update on the additional two new objects for Github services and Zscaler services release (targeted to be released in few weeks).
Regards,
Micky
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very good news indeed!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah @Kaspars_Zibarts this would be really nice to have.
Same for enhancement of the "HTTPS services - bypass"-object for known problematic sites from Several HTTPS web sites and applications might not work properly when HTTPS Inspection is enabled on...
not only HTTPS Inspection bypass list object for R80.40 and higher
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've banged on about this as well to Checkpoint, its completely stupid of Checkpoint not to include there own services as part of this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Kaspars_Zibarts , @genisis__ et all,
We are targeting to release updatable object for Check Point online services in a matter of several weeks.
I appreciate the product feedback!
@Wolfgang, I am taking internally with team to see which of the domains in SK can be promptly added to "optional bypass" section in object.
Regards,
Nadav Feigenblat
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nadav,
This is really positive! We all look forward to this.
One small think, not sure if your the correct person to highlight this to. In R81 Jumbo 25 there is an issue where trusted GUI client is no longer authorised.
We have specified a subnet rather hosts as Allowed clients, which is a supported approach. In this Jumbo a host within this subnet is not authorised to access the SMS; we resolved this by installing JHFA23 instead.
I have raised a TAC case. TAC have requested I add host addresses. I don't believe this is the correct approach. The approach in my option should be:
- Acknowledge the fault
- Create a bug id
- resolve the fault
- Pull JHFA25 (or update it as its ongoing), and release a new Jumbo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @genisis__,
There is indeed a bug in JHF 25 when connecting from an IP that not explicitly defined in the Trusted Clients list and next take (planned to be released in few days) will include a fix for this.
sk173026 about the issue was created and will be released ASAP.
Regards,
Ofer Barzvi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Thanks for confirming.
b.t.w I can't find the SK?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this new update, are there plans to increase the number of updatable objects? Example I think would be useful to have the following:
Zoom
WebEx
Cisco Meraki Cloud
Fortigate Cloud
PaloAlto Cloud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The new update is targeted to release 3 common requests we get -
1. Check Point online services
2. Github services
3. Zscaler services
Regarding Zoom & Webex - both are already available as updatable objects.
Regarding Cisco/Fortinet/Palo Alto cloud - we didn't get this request till now and we can surely evaluate it for next rounds.
Nadav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! I think the other clouds would be good to encompass as these are common, equally I would hope that the Checkpoint Cloud would be integrated into the other vendor security solutions as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps also good to add status of connectivity or a version number of some sort in the Updateable Object window or last connected date/time . Actually similar to a data center object which has "test connectivity". This way it is confirmed status is green or red of the Updateable objects itself incase there is a loss of network connectivity or updateable objects are not getting updated for some reason.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I like it!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nadav,
Any idea from when Updatable objects for Github will be available.
Paramjeet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point there : ). I will check for my own reference if this looks any different in my R81.10 lab.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks exactly the same on R81.10...no change.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We just released a new Updatable object for Check Point's security online services called "Check Point Services".
I'll update on the additional two new objects for Github services and Zscaler services release (targeted to be released in few weeks).
Regards,
Micky
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Micky_Michaeli great news! Any SK about this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent! I like these updatable objects 😊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally!!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do we know when other updatable objects will be added, specially thinking of Fortigate Cloud Services, Cisco Cloud Services, Palo Alto Cloud Services.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would really be awesome!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it took me a moment to understand you were actually serious here 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As with any of the items we have updatable objects for, there must be a published list in an easily machine-readable format for us to have an object for it.
If the vendors provide it, we can consider adding it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if this will help:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45118
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/620215/optional-changing-the-fortidns-se...
Cisco Meraki:
https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...
If anyone else can input that would be good, but as you rightly point out, vendors should provide it, but clearly that is something between vendors.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would it be possible to add fireeye cloud as an updatable object as well?
B.t.w still don't see Cisco Meraki Cloud or Forticloud as updatable objects.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried a rule, source SMS and destination the new updatable object "Check Point Service", services HTTP and HTTPS.
- IPS updates are not working
- ApplicationControl updates are not working
- cpinfo ... checking CK not working
- "installer download xxx" not working
- getting licenses or contract file working fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Silly this to confirm (b.t.w I've not tested this new object myself), DNS resolution on client and gateway come back with same response.
Other then that, sounds like a TAC case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Wolfgang ,
Thanks a lot for testing the new object and sharing this information with us. Such kind of feedback is very important to ensure the object is working as expected.
The dropped traffic is to crl.globalsign.com as we can see below, which is not a domain owned by Check Point, but is needed to be accessed during the download of different packages.
Following your feedback, we understand that it's important to add this domain to "Check Point Services" instead of suggesting to add this domain manually to policy.
We will upload a new package in the next few hours. I expect this package to arrive to all customers till tomorrow.
Please update me whether the issue resolved.
Regards,
Micky
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would love to see Checkpoint's updatable objects selectable in a network group object (to then be used within a Group with Exclusions) to allow split tunneling to just Zoom or O365. Yes can be done by manually adding a script to pull the Microsoft or other IP ranges, but why should we have to manually duplicate the feature when Checkpoint has what we need in Checkpoint's maintained updatable objects. Just add it the rest of the logic to allow them in a group. Should be one stop shop.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @George_Casper,
Thanks for your feedback.
Better late than never - starting R81.10, updatable objects can be used in network group.
R81.10 MGMT can manage R80.20 (or above) GWs and add updatable objects to network group.
Regards,
Micky
