Hi,

Encryption Domain is not working with updatable objects, so also a group which includes updatable objects is not supported in Encryption Domain.

Regards,
Micky

Micky, Would this imply that R81.10 management with our R80.40 gateways will allow updatable objects and function as hoping mentioned by PhoneBoy below more specifically in the Encryption Domain?

Hybrid Work From Home is here to stay for many organizations and we really appreciate any/all VPN related enhancements!  

Thank you

Are there any plans to include Mcafee Cloud services?

Hi @genisis__ ,

We didn't get requests for it till now and we can surely evaluate it for next developments.

Please use sk173416 in order to provide the relevant information.

We are using this SK for collecting common requests from customers.

Thanks,

Micky

Will take a look, thanks.

Just tried to submit info via feedback in the SK but its not working, so info I found is below:

Service Name: Mcafee Cloud
https://kc.mcafee.com/corporate/index?page=content&id=KB87232

Service Name: Cisco Meraki

https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

Hi @genisis__ currently the feedback form does not allow URLs. I am checking with the relevant team how to fix this. Submitted for you just names of the services meanwhile

@Micky_Michaeli 

thanks for fixing this. It's working since yesterday 19:45.

I have rule to allow my gateways and management servers to talk to "Check Point Services" as the destination, which I assumed would cover everything they need. However, I see the gateways attempting to talk to a handful of akamai owned IP addresses (over https) and these are not being allowed by this rule. There is not a URL listed in the log. Has anyone else seen this?

Dave

Paging @Micky_Michaeli 

Is something not working? Or you just suspect that something might not work because of these drops?

Hi @David_C1,

The content included in "Check Point Services" updatable object allows blades and features the ability to get required updates and packages from Check Point Services and to access them as part of their functionality.

We are not allowing all traffic originated from GW to Akamai, so seeing such traffic not matched on our object can't indicate any issue.

In case you suspect something is not updated properly, please let me know.

Thanks,
Micky

Thanks Micky,

Everything seems to be working fine, so I guess my question is - what is the gateway talking to that it doesn't need to talk to for their functionality? Why would the gateway talk to anything except the IPs/domains needed for their functionality? Perhaps an outdated DNS record, which points to an IP that at some point was used by Check Point domains? You can understand how this could make people uneasy, especially on edge gateways and if the Global Property "Accept outgoing packets originating from the Gateway" is checked.

Dave

Out of interest do you allow traffic for certificate services such as CRL / OCSP separately as an example? Such destinations wouldn't constitute Check Point services...

I don't have a specific rule for CRL/OSCP for the gateways. I use ordered layers (first layer: FW, second layer: AppCtrl and URLf) so I'd have to think about how that would work. However, according to https://secureupdates.checkpoint.com/cp_services/V1_0_0/gw/cp_services_uo, the following domains are included in the Check Point Services object:

crl.globalsign.com

crl.entrust.com

crl.verisign.com

Ideally, anything a gateway (or management) needs  to talk to would be included in the Check Point Services object, and if a gateway or management doesn't need to talk to something, it shouldn't even be trying (and if it is, that makes me nervous).

Dave

Hi @David_C1,

There might be some connections from the GW to Akamai that is not part of Check Point Services object.
for example, in sk116590, there are several Akamai hostnames that are not part of Check Point Services such as:

There are more examples on this SK for hostnames that is not part of "Check Point Services".

The reason is that these hostnames are not hosted on Check Point and can't be called "Check Point Services".

However, it's a legitimate traffic originated from the GW.

You provided some examples for CRLs that are part of our object.
These domains added in later stage to improve customers' experience after we understood they are required for several products.

Thanks,
Micky

Thanks @Micky_Michaeli 

This was good information. However, I see IPs that my (lab) gateway is attempting to talk to that is not listed in this SK, and I also don't run any Harmony Endpoint/Sandblast in my environment.  Let me shift my question a bit (and maybe this should be spun off to a different thread) - how do I write a policy which allows my gateways and management to only communicate with the necessary internet destinations? If there are destinations that are not included in the updatable object Check Point Services and are needed for gateway or management functionality, where is the documentation on this (preferably broken down by software blade)?  Or is the only way to guarantee full functionality to allow "any" as a destination to the internet?

Dave

Hi @David_C1,

My recommendation is to use "Check Point Services" in your destination, the same as many customers use.
Any missing hostname that should be part of this object, can be added to this object and be updated on your GW automatically once added.

Thanks,
Micky

Thanks @Micky_Michaeli,

Final (I hope) question then - are there any plans to break down the Check Point Services updatable object into more specific items, e.g. licensing, Anti-Bot updates, IPS updates, Threat Emulation)?

Dave

Hello @Wolfgang 

Is it better to use “updatable objects” than “Application Control” for accessing certain resources on the Internet?
I need to give permissions to a couple of segments, 192.168.0.0/24 and 172.16.20.0/24, so that they can access ZOOM and GOOGLE CLASSROOM.
I have enabled the FW and APPC blade, but this is where my question arises: “out of curiosity,” is it better to use a feature for these accesses?

How “advantageous” is it to use UPDATABLE OBJECTS for services such as those I just mentioned?
Or would the choice be more at the discretion of each product administrator?

Cheers 🙂

@Matlu if your application or vendor is available in the updatable objects list I would prefer to go with this.

You can find detailed information about updatable objects here Updatable Objects 

Using the application requires to recognize the application on the gateway, but sometimes they are not recognized. With updatable objects you‘re gateway get a list of IPs from the provider of the service and only connections to these IPs are allowed. If they change, you‘re gateway will learn this changed IPs. That‘s very dynamic and flexible.

I‘m not really familiar with Googles Classroom but I believe it‘s based on Googles Meet. The firewall requirements are listed here Prepare your network for Meet meetings & live streams 

Generally speaking, the “ports” that must be enabled with the rules that use “UPDATABLE OBJECTS,” as I understand it, would be allowing the ports known as 443, 80, and 53, correct?

More less, but really depends on what you are allowing.

I want to allow access to these segments to applications “in general and without restrictions.”
Specifically to ZOOM and Google Classroom.

Awesome work!.

This also apply for Harmony Endpoint Services?? (sk116590 and sk170198)

Hi,

Did you ever get a response to the Endpoint Services?
As far as I can tell they're not included in the Check Point Services...

Cheers

Hi Mikael,

All Check Point domains from these SKs are part of this object, yes.

Thanks,

Micky

Why don't you open an RFE for this?