Re: Dynamic Objects in R80.10

Gaurav_Pandya · ‎2017-10-26

Hi All,

I came to know the feature of R80.10 that we can make the dynamic objects for Microsoft services and others.

Prerequisite for both Mgmt and Gateway : R80.10 with Take 24 HFA.

Configuration

In SmartConsole, go to the Objects Explorer (in the upper right corner).
Click on the .. button - go to the More menu - go to the Network Object menu - go to the Dynamic Objects menu - click on the Dynamic Object...:

Name the dynamic object with the specific Office365 service name as specified in the table below (Important Note: The names are case sensitive).

Description of Office 365 service	Name of Check Point Dynamic Object	Name in Microsoft feed
All Office 365 services	CP_MS_Office365	-
Exchange Federation	CP_MS_EX-Fed	EX-Fed
Exchange Online	CP_MS_EXO	EXO
Exchange Online Protection	CP_MS_EOP	EOP
Microsoft Digital Note	CP_MS_OneNote	OneNote
Microsoft Teams	CP_MS_Teams	Teams
Office for iPad	CP_MS_OfficeiPad	OfficeiPad
Office Mobile	CP_MS_OfficeMobile	OfficeMobile
Office Online	CP_MS_WAC	WAC
Office 365 Authentication and Identity	CP_MS_Identity	Identity
Office 365 Certificate Revocation Lists	CP_MS_CRLs	CRLs
Office 365 Portal and shared	CP_MS_o365	o365
Office 365 ProPlus	CP_MS_ProPlus	ProPlus
Office 365 Video and Microsoft Streams	CP_MS_Office365Video	Office365Video
Office 365 Yammer	CP_MS_Yammer	Yammer
Office 365 Sway	CP_MS_Sway	Sway
Remote Connectivity Analyzer	CP_MS_RCA	RCA
SharePoint Online and OneDrive for Business	CP_MS_SPO	SPO
Skype for Business Online	CP_MS_LYO	LYO
Task Management for Teams	CP_MS_Planner	Planner

Create the relevant access policy rule.

Publish the session and install the policy.

Mike_Buglass · ‎2017-10-27

Are these really defined automatically? Values for dynamic objects are defined on gateways, and while this could be done with a script I can't find any documentation or announcement about it being provided by Checkpoint (and I would expect to find something in the release notes). Has someone at your site written a script to create these objects?

I don't have access to an R80.10 gateway to check

PhoneBoy · ‎2017-10-27

On my gateways, these objects are not defined yet (I'm running a later JHF).

I know that there is a plan to make something like this available soon, as has been discussed in several threads on CheckMates.

I will see if I can get an update on the current status of this.

Gaurav_Pandya · ‎2017-10-30

Hi,

Actually We have asked Checkpoint for this type of scenarios as one of customer is looking. We got the above answer. Still sk is in internal and not published yet. Below is the information about sk.

Solution ID	sk119562
Product	Security Gateway
Version	R80.10
OS	Gaia
Platform / Model	All
Access Level	Internal

PhoneBoy · ‎2017-10-30

That's because it is currently in private EA.

If you're interested, please contact your local Check Point SE.

Lars_Gosebrink · ‎2018-02-22

very usefull feature. Is this working in R80.10?

PhoneBoy · ‎2018-02-22

Yes, but it requires a special fix that's not generally available.

As noted above, please contact your local Check Point SE.

2e15242e-6b6a-4 · ‎2018-11-08

hi All.

Is this URL Forwarding?

PhoneBoy · ‎2018-11-08

What do you mean by URL Forwarding?

Phil_Haddy · ‎2018-11-21

Hi

Have found out the following recently when attempting to use dynamic objects for Office 365

Currently dynamic objects are only supported in R80.10 JHF Take 121 with an additional hot-fix that adds support for the Check Point feed.

The hot-fix is available for the current JHF (Take 154), but needs a RFE to be raised so R&D will test and support - which is absolute rubbish given the vulnerabilities/features that have been fixed addressed from Take 121 to 154

TAC advise that you upgrade to R80.20 (again - a rubbish response)

PhoneBoy · ‎2018-11-21

The internal SK that discusses this hotfix says you should be able to get it for R80.10 JHF 154 as of a few days ago.

Please PM me the SR you opened with TAC on this.

Shahar_Grober · ‎2019-05-13

Do updatable objects supported also on later HF (I am running with JHF Take 189)?

Phil_Haddy · ‎2018-11-21

Hi Damon

The SR is 3-0633516431, but I think I may have to go back and edit my post (again). It may be the case that we requested the hotfix for Take 154 to enable the dynamic object feeds and that is why it was released a few days ago, but we are running an R80.10 VSX environment. So our issue is that it can be installed but it hasn’t been tested with VSX so there is no support.

Any help is appreciated.

PhoneBoy · ‎2018-11-21

Be careful when you use email to reply as it included your email signature with your full contact details.

The SK seems to indicate different information, and I'll have to investigate further.

PhoneBoy · ‎2018-11-24

Just to clarify, there are two functions provided by this hotfix:

Dynamic Objects for Office 365 in the Access Policy, which is provided natively in R80.20 (see: Microsoft Office 365 objects as Network Objects in R80.20).
Dynamic Objects for Office 365 in the HTTPS Inspection policy, which is NOT in R80.20 and requires a special hotfix to achieve in R80.10. We do plan to provide this in the product natively (post R80.20) thru allowing use of Updatable Objects in the HTTPS Inspection policy, but the timelines for this have not been finalized.

To further clarify, this particular hotfix is also a customer-release, meaning it was built and tested for a specific customer environment.

We do make these available to other customers through your local Check Point office only if they meet the same requirements.

Ted_Serreyn · ‎2019-11-15

Is there any update on using these dynamic/updatable objects in https inspection?

Is it in R80.30? R80.40 EA?

Hitting an issue with skype and response was to bypass all the Microsoft ip ranges, bit more than I was expecting.

Tomer_Sole · ‎2018-11-24

TAC advise that you upgrade to R80.20 (again - a rubbish response)

To add to Dameon's point, in this case, TAC had a valid point!

In R80.20 there's a solution that is easier to use, reduces time maintaining it by end users, and in maintrain - therefore you will receive all future stability fixes unlike the special dynamic object release of R80.10.

Even if you don't have plans to migrate to R80.20 right now, I recommend that you at least prepare and experiment with a lab environment or the Cloud Demo Mode.

See more benefits of R80.20 here: Check Point R80.20 Demo TechTalk and Q&A

ADM_DB · ‎2018-12-01

Thank you for clarification
can we use this as an object in "vpn domain" networks group in order to route all O365 traffic through the vpn tunnel ( split tunnel )?

PhoneBoy · ‎2018-12-02

Neither of these solutions provide this functionality.

That said, I believe you can leverage route-based VPNs for this.

David_Brodin · ‎2019-03-06

Is there a reason our updatable object list does not include that specific list of o365 services/servers?

Afaik they are published on MS' page of domains/IP-addresses.

Running r80.20 mgmt with take 33 jumbo.

PhoneBoy · ‎2019-03-06

As the list comes from the cloud, everyone should see the same thing.

What do you see?

David_Brodin · ‎2019-03-06

I agree, I should be seeing the same list. We would like to use "Microsoft Teams Servers" from Tomers list for instance. Although a lot can change in 3months, since Teams exist in MS' feed I'm surprised it's not in CP's list (anymore):

PhoneBoy · ‎2019-03-07

Depending on where I look, I get different results.

In Demo Mode, I see everything:

On my own R80.20 Management, I see the same list you do.

It's probably worth a TAC case.

Oscar_Figueruel · ‎2020-03-10

Hello,

We are running R80.30 JHF111 on the MGMT and Gateway Site, and looking at the updatable objects, I am not able to see the same cloud services as you.

Could you please clarify what is happening and why we get random updatable objects?

Thank you in advance.

Hugo_vd_Kooij · ‎2019-03-07

By all means let us know if you open the TAC case. I can safely say that the demo mode is not what I have in the lab or what I see when I login at R80.20 firewalls of customers.

David_Brodin · ‎2019-03-08

Thanks for feedback Dameon Welch-Abernathy‌ & Hugo van der Kooij‌.

I've created 6-0001542837, although late in the day so I didn't have a chance to add anything until the day was over.

David_Brodin · ‎2019-04-30

@David_Brodin wrote:
Thanks for feedback Dameon Welch-Abernathy‌ & Hugo van der Kooij‌.
I've created 6-0001542837, although late in the day so I didn't have a chance to add anything until the day was over.

A bit late, just remembered this topic 🙂

I received an official statement from R&D:

Microsoft O365 has changed their feed and their object structure. This is why the objects in the picker were changed.
R80.20 Demo mode shows the old O365 packages and does not actually connect to the feed.
That is why we see a different state in the Demo.

DBC · ‎2019-03-13

So is Dynamic Objects in R80.10 change its name in R80.20 to Updatable objects?

from what was published (and it's not that much) they have the same fundamental description just with different name.

is that correct?

PhoneBoy · ‎2019-03-13

The main difference between the objects are:

Dynamic Objects are updated from the local gateway using the dynamic_objects CLI command
Updatable Objects are updated from the Check Point Cloud

They are different object types.

Kamiar_Sh

do I need to have manually NAT policy from LAN to Office 365?