Hi,

Encryption Domain is not working with updatable objects, so also a group which includes updatable objects is not supported in Encryption Domain.

Regards,
Micky

Micky, Would this imply that R81.10 management with our R80.40 gateways will allow updatable objects and function as hoping mentioned by PhoneBoy below more specifically in the Encryption Domain?

Hybrid Work From Home is here to stay for many organizations and we really appreciate any/all VPN related enhancements!  

Thank you

Are there any plans to include Mcafee Cloud services?

Hi @genisis__ ,

We didn't get requests for it till now and we can surely evaluate it for next developments.

Please use sk173416 in order to provide the relevant information.

We are using this SK for collecting common requests from customers.

Thanks,

Micky

Will take a look, thanks.

Just tried to submit info via feedback in the SK but its not working, so info I found is below:

Service Name: Mcafee Cloud
https://kc.mcafee.com/corporate/index?page=content&id=KB87232

Service Name: Cisco Meraki

https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

Hi @genisis__ currently the feedback form does not allow URLs. I am checking with the relevant team how to fix this. Submitted for you just names of the services meanwhile

@Micky_Michaeli 

thanks for fixing this. It's working since yesterday 19:45.

I have rule to allow my gateways and management servers to talk to "Check Point Services" as the destination, which I assumed would cover everything they need. However, I see the gateways attempting to talk to a handful of akamai owned IP addresses (over https) and these are not being allowed by this rule. There is not a URL listed in the log. Has anyone else seen this?

Dave

Paging @Micky_Michaeli 

Is something not working? Or you just suspect that something might not work because of these drops?

Hi @David_Charnon,

The content included in "Check Point Services" updatable object allows blades and features the ability to get required updates and packages from Check Point Services and to access them as part of their functionality.

We are not allowing all traffic originated from GW to Akamai, so seeing such traffic not matched on our object can't indicate any issue.

In case you suspect something is not updated properly, please let me know.

Thanks,
Micky

Thanks Micky,

Everything seems to be working fine, so I guess my question is - what is the gateway talking to that it doesn't need to talk to for their functionality? Why would the gateway talk to anything except the IPs/domains needed for their functionality? Perhaps an outdated DNS record, which points to an IP that at some point was used by Check Point domains? You can understand how this could make people uneasy, especially on edge gateways and if the Global Property "Accept outgoing packets originating from the Gateway" is checked.

Dave

Out of interest do you allow traffic for certificate services such as CRL / OCSP separately as an example? Such destinations wouldn't constitute Check Point services...

I don't have a specific rule for CRL/OSCP for the gateways. I use ordered layers (first layer: FW, second layer: AppCtrl and URLf) so I'd have to think about how that would work. However, according to https://secureupdates.checkpoint.com/cp_services/V1_0_0/gw/cp_services_uo, the following domains are included in the Check Point Services object:

crl.globalsign.com

crl.entrust.com

crl.verisign.com

Ideally, anything a gateway (or management) needs  to talk to would be included in the Check Point Services object, and if a gateway or management doesn't need to talk to something, it shouldn't even be trying (and if it is, that makes me nervous).

Dave

Hi @David_Charnon,

There might be some connections from the GW to Akamai that is not part of Check Point Services object.
for example, in sk116590, there are several Akamai hostnames that are not part of Check Point Services such as:

There are more examples on this SK for hostnames that is not part of "Check Point Services".

The reason is that these hostnames are not hosted on Check Point and can't be called "Check Point Services".

However, it's a legitimate traffic originated from the GW.

You provided some examples for CRLs that are part of our object.
These domains added in later stage to improve customers' experience after we understood they are required for several products.

Thanks,
Micky

Thanks @Micky_Michaeli 

This was good information. However, I see IPs that my (lab) gateway is attempting to talk to that is not listed in this SK, and I also don't run any Harmony Endpoint/Sandblast in my environment.  Let me shift my question a bit (and maybe this should be spun off to a different thread) - how do I write a policy which allows my gateways and management to only communicate with the necessary internet destinations? If there are destinations that are not included in the updatable object Check Point Services and are needed for gateway or management functionality, where is the documentation on this (preferably broken down by software blade)?  Or is the only way to guarantee full functionality to allow "any" as a destination to the internet?

Dave

Hi @David_Charnon,

My recommendation is to use "Check Point Services" in your destination, the same as many customers use.
Any missing hostname that should be part of this object, can be added to this object and be updated on your GW automatically once added.

Thanks,
Micky

Thanks @Micky_Michaeli,

Final (I hope) question then - are there any plans to break down the Check Point Services updatable object into more specific items, e.g. licensing, Anti-Bot updates, IPS updates, Threat Emulation)?

Dave

Awesome work!.

This also apply for Harmony Endpoint Services?? (sk116590 and sk170198)

Why don't you open an RFE for this?

Also, from your example it seems to me, FQDN objects would do.

I knew I missed some point. Thanks Val, FQDN will spare lots of time!

@Jiri_Pridal 

be patient. I think there is time needed to get more and more updatable objects. Check Point starts with only a few objects and now we have a lot more. As you can see in this thread, it's possible to request a new object. @Kaspars_Zibarts started this thread ‎2021-04-23 08:13 AM and yesterday we got the new object for Check Point service. 

In the meantime you can use the available Apple-objects from ApplicationControl/URL-Filter:

Hi, what are the plans for SAP cloud services which is a woldwide ERP software standard?

Thanks

Andreas

Hi @Andreas_Hofmann,

We didn't get a lot requests for it till now and we can surely evaluate it as next released objects.

Please use sk173416 in order to provide the relevant information regarding SAP cloud services updatable object.

We are using this SK for collecting common requests from customers.

Thanks,

Micky