This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
Advisor
Monday

Updatable Objects for MS Teams matches Github

Hello Folks, 

just stumbled over a possible MS Teams problem a customer is fighting for months ...
sometime the Updatable Objects IP matches on a different category ... then of course the policy doesnt match anymore, resulting in a drop.

dynamic_objects -ip 52.113.83.112

 

The following objects contain IP 52.113.83.112

 

Object name: CP_MS_Skype
Object type: Updatable Object

 

Object name: CP_Azure_Azure
Object type: Updatable Object

 

Object name: CP_GH_GITHUB
Object type: Updatable Object

so IP 52.113.83.112 should be an IP from the O365 MS Teams Range 52.122.0.0/15
https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worl...

this results in a drop on my policy:

@;81095432.634111613;[vs_0];[tid_19];[fw4_19];fw_log_drop_ex: Packet proto=6 10.10.42.68:57203 -> 52.113.83.112:3478 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "POLICY" rule 922;


did anybody notice this already as well?
i was always thinking this Updatable Objects are quite reliable ... but why this IP can matche on sometimes totally different categories? CP_GH_GITHUB & CP_MS_Skype

0 Kudos
12 Replies
Lesley
Mentor Mentor
Mentor
Monday

I assume you mean 52.112.0.0/14 and not 52.122.0.0/15 , 52.113.83.112 matches the first subnet. 

The issue is that Microsoft states it belongs to them and Github does the same, that it belongs to Github.. Since Github uses more specific subnet I would pick them. But anyway there is something strange going on, outside reach of Check Point. Check Point uses 3d party info to fill the tables. And if both tables claim the ip is for them what can you do 🙂

Here you can find that Github uses 52.113.83.0/24

https://api.github.com/meta

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
JaAnd
Participant
Monday

Hi,

from my experience in the case of MS products AppCtr definitions seems to be more accurate than UO. 

Microsoft has lots of those networks to use:

https://search.arin.net/rdap/?query=52.113.83.0

0 Kudos
the_rock
Legend
Legend
Monday

Can you run command -> dynamic_objects -uo "whatever name of github updatable object"

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
Tuesday
In response to the_rock

Hello, 

well yes:
the thing is ... both Updateable Objects contain both subnets ... based on my policy it sometimes matches the subnet on "Microsoft Teams Worldwide" then on "GitHub Services"


[Expert@XXXXXXXXXXXX:0:ACTIVE]# dynamic_objects -uo "GitHub Services" | grep 52.113
range 1037 : 52.113.9.0 52.113.9.255
range 1038 : 52.113.12.0 52.113.12.255
range 1039 : 52.113.16.0 52.113.31.255
range 1040 : 52.113.37.0 52.113.63.255
range 1041 : 52.113.69.0 52.113.69.255
range 1042 : 52.113.83.0 52.113.83.255
range 1043 : 52.113.85.0 52.113.86.255
range 1044 : 52.113.112.0 52.113.127.255
range 1045 : 52.113.129.0 52.113.130.255
range 1046 : 52.113.135.0 52.113.151.255
range 1047 : 52.113.160.0 52.113.191.255
range 1048 : 52.113.198.0 52.113.199.255
range 1049 : 52.113.205.0 52.113.206.255
range 1050 : 52.113.208.0 52.113.223.255

[Expert@XXXXXXXXXXXX:0:ACTIVE]# dynamic_objects -uo "Microsoft Teams Worldwide" | grep 52.1
range 0 : 52.112.0.0 52.115.255.255
range 1 : 52.122.0.0 52.123.255.255

when it matches on Github it results in a drop ... because the existing Github Rule does not contain the services used for MS Teams and the packet matches again on the CleanUP rule ... sure i could move around some rules ... but i consider this as a flaw .. 

the_rock
Legend
Legend
Tuesday
In response to Thomas_Eichelbu

I totally agree, it is flaw in my view as well. Did you contact TAC about it?

Andy

0 Kudos
the_rock
Legend
Legend
Tuesday
In response to Thomas_Eichelbu

I also tried grepping for teams with that command, but nothing came up, but those IPs definitely match.

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
Tuesday
In response to the_rock

Well yes, i bet its time to contact TAC.
i will keep you informed...

 

 

the_rock
Legend
Legend
Tuesday
In response to Thomas_Eichelbu

Thanks so much Thomas, Im also super curious about this.

Andy

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to Thomas_Eichelbu

We use the information provided by the relevant vendor for our Updatable Objects.
If there are errors in that data...

0 Kudos
the_rock
Legend
Legend
Tuesday
In response to PhoneBoy

@PhoneBoy I suppose no way around it other than modifying the rules?

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
Wednesday
In response to the_rock

Hello Guys, 

well i see NO reason to change any rules, because the policy matching, or lets say, which Updateable Object the FW chooses for policy matching is changing from session to session.

take a look:
my logging resulsts, during a MS teams call.
SRC: 10.10.42.68 and DST: 52.113.83.112
sometimes accept, sometimes drop.
Logs1.png

 

fist the accept, it matches on MS Teams ...

logs2.png

then the drop:
same SRC & same DST. just new SRC port, so lets say a new connection ...
but is says Github this time ... 
Log3.png

lets see what TAC can do here, since the firewall changes its match on the DST IP from time to time.

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Thomas_Eichelbu

I agree with you, rules look fine.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top