Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Employee Employee
Employee
Jump to solution

Updatable Object for Checkpoint services

Here's a million dollar question (or maybe $5) 

what's missing on the list of Updatable Objects below? Where's Checkpoint services? Ones that are listed here sk83520 

Of course you could create FQDN objects manually or a custom application category with URLs included but that maens manual maintenance. Would be so nice to have a pre-built object that's maintained by CP themselves! Have great friday!

image.png

(1)
71 Replies
PhoneBoy
Admin
Admin

But will we be able use that group in something like the Encryption Domain, which generally works with fixed network/host objects?

0 Kudos
Micky_Michaeli
Employee
Employee

Hi,

Encryption Domain is not working with updatable objects, so also a group which includes updatable objects is not supported in Encryption Domain.

Regards,
Micky

0 Kudos
George_Casper
Collaborator

Micky, Would this imply that R81.10 management with our R80.40 gateways will allow updatable objects and function as hoping mentioned by PhoneBoy below more specifically in the Encryption Domain?

Hybrid Work From Home is here to stay for many organizations and we really appreciate any/all VPN related enhancements!  

Thank you

0 Kudos
genisis__
Leader Leader
Leader

Are there any plans to include Mcafee Cloud services?

0 Kudos
Micky_Michaeli
Employee
Employee

Hi @genisis__ ,

We didn't get requests for it till now and we can surely evaluate it for next developments.

Please use sk173416 in order to provide the relevant information.

We are using this SK for collecting common requests from customers.

Thanks,

Micky

0 Kudos
genisis__
Leader Leader
Leader

Will take a look, thanks.

0 Kudos
genisis__
Leader Leader
Leader

Just tried to submit info via feedback in the SK but its not working, so info I found is below:

Service Name: Mcafee Cloud
https://kc.mcafee.com/corporate/index?page=content&id=KB87232

 

Service Name: Cisco Meraki

https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

0 Kudos
_Val_
Admin
Admin

Hi @genisis__ currently the feedback form does not allow URLs. I am checking with the relevant team how to fix this. Submitted for you just names of the services meanwhile

0 Kudos
Wolfgang
Authority
Authority

@Micky_Michaeli 

thanks for fixing this. It's working since yesterday 19:45.

2021-06-02 07_14_45.png

David_C1
Advisor

I have rule to allow my gateways and management servers to talk to "Check Point Services" as the destination, which I assumed would cover everything they need. However, I see the gateways attempting to talk to a handful of akamai owned IP addresses (over https) and these are not being allowed by this rule. There is not a URL listed in the log. Has anyone else seen this?

Dave

0 Kudos
PhoneBoy
Admin
Admin

Paging @Micky_Michaeli 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Is something not working? Or you just suspect that something might not work because of these drops?

0 Kudos
Micky_Michaeli
Employee
Employee

Hi @David_C1,

The content included in "Check Point Services" updatable object allows blades and features the ability to get required updates and packages from Check Point Services and to access them as part of their functionality.

We are not allowing all traffic originated from GW to Akamai, so seeing such traffic not matched on our object can't indicate any issue.

In case you suspect something is not updated properly, please let me know.

 

Thanks,
Micky

0 Kudos
David_C1
Advisor

Thanks Micky,

Everything seems to be working fine, so I guess my question is - what is the gateway talking to that it doesn't need to talk to for their functionality? Why would the gateway talk to anything except the IPs/domains needed for their functionality? Perhaps an outdated DNS record, which points to an IP that at some point was used by Check Point domains? You can understand how this could make people uneasy, especially on edge gateways and if the Global Property "Accept outgoing packets originating from the Gateway" is checked.

Dave

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Out of interest do you allow traffic for certificate services such as CRL / OCSP separately as an example? Such destinations wouldn't constitute Check Point services...

CCSM R77/R80/ELITE
0 Kudos
David_C1
Advisor

I don't have a specific rule for CRL/OSCP for the gateways. I use ordered layers (first layer: FW, second layer: AppCtrl and URLf) so I'd have to think about how that would work. However, according to https://secureupdates.checkpoint.com/cp_services/V1_0_0/gw/cp_services_uo, the following domains are included in the Check Point Services object:

crl.globalsign.com

crl.entrust.com

crl.verisign.com

Ideally, anything a gateway (or management) needs  to talk to would be included in the Check Point Services object, and if a gateway or management doesn't need to talk to something, it shouldn't even be trying (and if it is, that makes me nervous).

Dave

0 Kudos
Micky_Michaeli
Employee
Employee

Hi @David_C1,

There might be some connections from the GW to Akamai that is not part of Check Point Services object.
for example, in sk116590, there are several Akamai hostnames that are not part of Check Point Services such as:

https://a88-221-154-122.deploy.static.akamaitechnologies.com
https://a2-22-93-83.deploy.static.akamaitechnologies.com
https://a95-100-209-19.deploy.static.akamaitechnologies.com
https General SBA services

 

There are more examples on this SK for hostnames that is not part of "Check Point Services".

The reason is that these hostnames are not hosted on Check Point and can't be called "Check Point Services".

However, it's a legitimate traffic originated from the GW.

You provided some examples for CRLs that are part of our object.
These domains added in later stage to improve customers' experience after we understood they are required for several products.

Thanks,
Micky

0 Kudos
David_C1
Advisor

Thanks @Micky_Michaeli 

This was good information. However, I see IPs that my (lab) gateway is attempting to talk to that is not listed in this SK, and I also don't run any Harmony Endpoint/Sandblast in my environment.  Let me shift my question a bit (and maybe this should be spun off to a different thread) - how do I write a policy which allows my gateways and management to only communicate with the necessary internet destinations? If there are destinations that are not included in the updatable object Check Point Services and are needed for gateway or management functionality, where is the documentation on this (preferably broken down by software blade)?  Or is the only way to guarantee full functionality to allow "any" as a destination to the internet?

Dave

0 Kudos
Micky_Michaeli
Employee
Employee

Hi @David_C1,

My recommendation is to use "Check Point Services" in your destination, the same as many customers use.
Any missing hostname that should be part of this object, can be added to this object and be updated on your GW automatically once added.

Thanks,
Micky

0 Kudos
David_C1
Advisor

Thanks @Micky_Michaeli,

Final (I hope) question then - are there any plans to break down the Check Point Services updatable object into more specific items, e.g. licensing, Anti-Bot updates, IPS updates, Threat Emulation)?

Dave

0 Kudos
MikeB
Advisor

Awesome work!.

This also apply for Harmony Endpoint Services?? (sk116590 and sk170198)

0 Kudos
Mikael
Employee Employee
Employee

Hi,

Did you ever get a response to the Endpoint Services?
As far as I can tell they're not included in the Check Point Services...

Cheers

0 Kudos
Micky_Michaeli
Employee
Employee

Hi Mikael,

All Check Point domains from these SKs are part of this object, yes.

Thanks,

Micky

Jiri_Pridal
Explorer

I really miss the list of Apple Update sites! Why do I have to do reverse engineering of Apple infrastructure? Why do I have to make this list by myself? Or am I missing some point when updating Apple machines with HTTPS inspection on?

chp-mac-https-except.png

0 Kudos
_Val_
Admin
Admin

Why don't you open an RFE for this?

0 Kudos
_Val_
Admin
Admin

Also, from your example it seems to me, FQDN objects would do.

Jiri_Pridal
Explorer

I knew I missed some point. Thanks Val, FQDN will spare lots of time!

0 Kudos
Wolfgang
Authority
Authority

@Jiri_Pridal 

be patient. I think there is time needed to get more and more updatable objects. Check Point starts with only a few objects and now we have a lot more. As you can see in this thread, it's possible to request a new object. @Kaspars_Zibarts started this thread ‎2021-04-23 08:13 AM and yesterday we got the new object for Check Point service. 

In the meantime you can use the available Apple-objects from ApplicationControl/URL-Filter:

Screenshot 2021-06-02 093144.png

Micky_Michaeli
Employee
Employee

Hi,

We just released a new Updatable object for GitHub Services.

The new object for Zscaler Services is planned to be released by the first week of July.

We created sk173416 for Updatable Objects FAQ - You can find interesting information on Updatable objects and how new suggestions for Updatable objects can be submitted.

Thanks,
Micky

the_rock
Legend
Legend

Very good news indeed!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events