This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Markus_Kress
Contributor
‎2020-02-20 03:24 AM
Jump to solution

updatable objects with wildcard entries

Hi,
we are using updatable objects in our o365 policy.
The updatable object "Office Worldwide Services" includes some Wildcard Domain entries, e.g. "*.msappproxy.net". We figured out, requests which should match these wildcards do not work.
Should they work? - We assume that the gateway does a dns lookup for every fqdn which is listed in the updatable object and cashs it. For wildcard entries it is not possible. Are we Right?
Can someone explain how the updatable object mechanism works? Or is there a good article in the knowledgebase?

0 Kudos
1 Solution

Accepted Solutions
SSlater
Employee
Employee
‎2020-08-03 05:32 PM
In response to Jonathan
Jump to solution

Hi @Jonathan Thanks for your clarification. I had focused on "Can someone explain how the updatable object mechanism works?"

 

Updatable objects should not have a negative impact on performance like Non-FQDN Domain Objects.   --- We should not consider them equivalents. 

If you see degredation, or performance impact when using them, contact TAC.

 

Regardless of the content of the actual Updatable Object, Whether IP's or Domains;   Fortunately for us, from the FW/Traffic perspective, this should not have any difference in behavior.  --- If you see any issues that would constitute "Updatable Objects do not have consistent Matching behavior when used in Rulebase" -- A TAC case should be raised with a similar title.

View solution in original post

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-02-20 04:24 AM
Jump to solution

sk131852: Updatable Objects in R80.20 and above

sk122636: How to troubleshoot Updatable Objects in R80.20 and higher

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator
‎2020-07-30 05:40 AM
In response to G_W_Albrecht
Jump to solution

Same question here - I'm thinking about using updatable object for Zoom, but their list contains *.zoom.us.

I know that it is advised NOT to use non-FQDN Objects in Checkpoint R80.20 since every packet passing the firewall will be checked for reversed-dns lookup and can choke the firewall.

Would that also be the case with updatable objects when wildcard is present?

I couldn't find any answer to this in the links links G_W_Albrecht provided.

 

Thanks

 

G_W_Albrecht
Legend Legend
Legend
‎2020-07-30 06:54 AM
In response to Jonathan
Jump to solution

sk163633: Updatable Objects for Zoom Services

sk135572: Microsoft Office 365 objects as Network Objects in R80.20 and above

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator
‎2020-08-02 10:25 PM
In response to G_W_Albrecht
Jump to solution

Thanks for those links G_W_Albrecht, I've already read them but still don't have answer for my question - 

Checkpoint says these updateable objects contains list of IP addresses and DOMAINS. I've checked Zoom's list and it contains *.zoom.us.

Will the gateway treat this the same as a non-FQDN object and try to reverse-lookup for it on every packet?

SSlater
Employee
Employee
‎2020-08-03 01:03 AM
Jump to solution

Hi Markus_Kress,

I think you are looking for Domain Objects. These work like you mention, where the Gateway does a dns lookup for every FQDN, then caches it.

Updatable Objects work slightly differently, but on the same premise.

Some Services do not function with Domain objects, for various reasons, and we require the Updatable Objects.

These are a dynamic list of IP's that is provided as a service from Check Point. (No special licensing required)

We work with Vendors such as Zoom, Microsoft, and new vendors all the time.

They provide a list of IP's and Domains to us. -- We provide this to you, in the form of an Updatable Object.

We can see in sk163633 -- Updatable Objects for Zoom Services

"Zoom publishes a list of IP ranges and domains which are dynamically updated."

 

 

If more granular control is required, you will need to use Domain Objects, or reach out to your local SE, or TAC if this doesn't suit your needs.

0 Kudos
Jonathan
Collaborator
‎2020-08-03 02:17 AM
In response to SSlater
Jump to solution

Hi Stephen,

Thanks for reply, this is all very clear, but still you did not address both Markus_Kress and my issue.

Checkpoint recommends not to use Domain Objects in a Non-FQDN setting, which as I understand is kinda' the equivalent to a wildcard domain (*.zoom.us).

Updatable Objects also relay on list of domains which include wildcard.

We want to know how the gateway addresses these wildcards domain and can they also have negative impact on performance like Non-FQDN Domain Objects do?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-08-03 02:30 AM
In response to Jonathan
Jump to solution

This is not true - Updatable Objects are a dynamic list of IP's that is provided as a service from Check Point. So there are no wildcards and these are not Domain objects - it is always a list of IPs 😎

I do not understand why this is so unclear although sk131852sk163633 and sk135572 does explain that in detail ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator
‎2020-08-03 02:54 AM
In response to G_W_Albrecht
Jump to solution

Well, I quote this from the links you've sent:

"External services providers publish lists of IP addresses, or Domains, or both,"

"This Zoom Updatable Object matches a list of IP addresses and domains"

"Each Office 365 Updatable Object matches a list of IP addresses and Domains"

And if you follow the link from Checkpoint's Import dialog box, to Zoom's firewall setting webpage you can see even see that *.zoom.us is part of the list.

This was also the original question of Markus_Kress regarding Office365.

0 Kudos
_Val_
Admin
Admin
‎2020-08-03 03:01 AM
In response to Jonathan
Jump to solution

In this context, "domain" means FQDN. @G_W_Albrecht is correct, Updatable objects contain a list of IP addresses. If you experience any connectivity issue with updatable objects, please raise those issues with TAC

0 Kudos
SSlater
Employee
Employee
‎2020-08-03 05:32 PM
In response to Jonathan
Jump to solution

Hi @Jonathan Thanks for your clarification. I had focused on "Can someone explain how the updatable object mechanism works?"

 

Updatable objects should not have a negative impact on performance like Non-FQDN Domain Objects.   --- We should not consider them equivalents. 

If you see degredation, or performance impact when using them, contact TAC.

 

Regardless of the content of the actual Updatable Object, Whether IP's or Domains;   Fortunately for us, from the FW/Traffic perspective, this should not have any difference in behavior.  --- If you see any issues that would constitute "Updatable Objects do not have consistent Matching behavior when used in Rulebase" -- A TAC case should be raised with a similar title.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events