Hi Nadav,

This is really positive!  We all look forward to this.

One small think, not sure if your the correct person to highlight this to.  In R81 Jumbo 25 there is an issue where trusted GUI client is no longer authorised.

We have specified a subnet rather hosts as Allowed clients, which is a supported approach.  In this Jumbo a host within this subnet is not authorised to access the SMS; we resolved this by installing JHFA23 instead.

I have raised a TAC case.  TAC have requested I add host addresses.  I don't believe this is the correct approach.  The approach in my option should be:

- Acknowledge the fault

- Create a bug id

- resolve the fault

- Pull JHFA25 (or update it as its ongoing), and release a new Jumbo.

Hello @genisis__,

There is indeed a bug in JHF 25 when connecting from an IP that not explicitly defined in the Trusted Clients list and next take (planned to be released in few days) will include a fix for this.

sk173026 about the issue was created and will be released ASAP.

Regards,

Ofer Barzvi

Awesome! Thanks for confirming.

b.t.w I can't find the SK?

In this new update, are there plans to increase the number of updatable objects?  Example I think would be useful to have the following:

Zoom

WebEx

Cisco Meraki Cloud

Fortigate Cloud

PaloAlto Cloud

The new update is targeted to release 3 common requests we get - 
1. Check Point online services 
2. Github services 
3. Zscaler services 

Regarding Zoom & Webex - both are already available as updatable objects.

Regarding Cisco/Fortinet/Palo Alto cloud - we didn't get this request till now and we can surely evaluate it for next rounds.

Nadav

Great! I think the other clouds would be good to encompass as these are common, equally I would hope that the Checkpoint Cloud would be integrated into the other vendor security solutions as well.

Perhaps also good to add status of connectivity or a version number of some sort in the Updateable Object window or last connected date/time . Actually similar to a data center object which has "test connectivity". This way it is confirmed status is green or red of the Updateable objects itself incase there is a loss of network connectivity or updateable objects are not getting updated for some reason. 

I like it!

Hi Nadav,

Any idea from when Updatable objects for Github will be available.

Paramjeet 

Looks exactly the same on R81.10...no change. 

@Micky_Michaeli great news! Any SK about this?

Finally!!!!

Do we know when other updatable objects will be added, specially thinking of  Fortigate Cloud Services, Cisco Cloud Services, Palo Alto Cloud Services.

That would really be awesome!

@genisis__ 

it took me a moment to understand you were actually serious here 🙂

As with any of the items we have updatable objects for, there must be a published list in an easily machine-readable format for us to have an object for it.
If the vendors provide it, we can consider adding it.

Not sure if this will help:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD45118
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/620215/optional-changing-the-fortidns-se...

Cisco Meraki:
https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

If anyone else can input that would be good, but as you rightly point out, vendors should provide it, but clearly that is something between vendors.

Would it be possible to add fireeye cloud as an updatable object as well?

B.t.w still don't see Cisco Meraki Cloud or Forticloud as  updatable objects.

I tried a rule, source SMS and destination the new updatable object "Check Point Service", services HTTP and HTTPS.

- IPS updates are not working

- ApplicationControl updates are not working

- cpinfo ... checking CK not working

- "installer download xxx" not working

- getting licenses or contract file working fine

Silly this to confirm (b.t.w I've not tested this new object myself), DNS resolution on client and gateway come back with same response.

Other then that, sounds like a TAC case.

Hi @Wolfgang ,

Thanks a lot for testing the new object and sharing this information with us. Such kind of feedback is very important to ensure the object is working as expected.

The dropped traffic is to crl.globalsign.com as we can see below, which is not a domain owned by Check Point, but is needed to be accessed during the download of different packages.

Following your feedback, we understand that it's important to add this domain to "Check Point Services" instead of suggesting to add this domain manually to policy.

We will upload a new package in the next few hours. I expect this package to arrive to all customers till tomorrow.

Please update me whether the issue resolved.

Regards,

Micky

Would love to see Checkpoint's updatable objects selectable in a network group object (to then be used within a Group with Exclusions) to allow split tunneling to just Zoom or O365.  Yes can be done by manually adding a script to pull the Microsoft or other IP ranges, but why should we have to manually duplicate the feature when Checkpoint has what we need in Checkpoint's maintained updatable objects. Just add it the rest of the logic to allow them in a group.  Should be one stop shop.

Hi @George_Casper,

Thanks for your feedback.

Better late than never - starting R81.10, updatable objects can be used in network group.

R81.10 MGMT can manage R80.20 (or above) GWs and add updatable objects to network group.

Regards,
Micky