The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Quantum Security Gateways
R80.20, R80.30, R80.40, R81, R81.10
An updatable object is a network object that represents an external service, such as Office 365, AWS, GEO locations and more. External service providers publish lists of IP addresses or domains or both, to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect. The updatable object can be used in Access Control policy's source and destination columns.
Starting from R80.20, updateable objects are supported for the Access Rule Base (the main rule base).
Starting from R80.40, updateable objects are supported for the HTTPSi Rule Base.
Starting from R81, updateable objects are supported for the NAT Rule Base.
These are the currently supported external services for updatable objects:
Amazon Web Services (AWS)
Amazon Web Services (abbreviated AWS) is a collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the Internet by Amazon.
Microsoft Azure is a collection of cloud computing services created by Microsoft, services like Azure SQL, Storage, Traffic Manager, Cloud, Cosmos DB, Event Hub, Key Vault and Service Bus. Azure is divided into three areas:
The Geo database is downloaded from MaxMind, a leading provider of IP Intelligence and online fraud prevention tools. MaxMind provides mapping of location data for IP addresses. The server downloads the updated database from MaxMind on a weekly basis. See sk126172.
GitHub is a provider of Internet hosting for software development and version control using Git.
In some well-known HTTPS services, HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic. If you choose to bypass specific HTTPS services to avoid connectivity issues, they will not perform HTTPS Inspection. See sk163595.
Microsoft Intune is a cloud-based service that focuses on mobile device management and mobile application management.
McAfee is an American global computer security software company. See KB87232
This is a Microsoft Defender object and all its content is subject to Microsoft Defender IPs and Domains. The Microsoft Defender for Endpoint delivers preventative protection, post-breach detection, automated investigation, and response.
The Dynamics Customer Relationship Management (CRM) is a system for managing a company's interactions with current and future customers, using technology to organize, automate, and synchronize sales, marketing, customer service, and technical support.
Microsoft Office 365 cloud services, such as Skype for Business Online, Exchange Online and more, are commonly used by organizations. Office365 is divided into three areas: Third Party Domains, US Government DoD Services and Worldwide Services.
This is a Salesforce object and all its content is subject to Salesforce IPs. Salesforce provides customer relationship management service and also provides enterprise applications focused on customer service, marketing automation, analytics, and application development.
This feature is only supported for R80.20 and higher gateways.
Updatable objects are not supported in HTTPS Inspection policy in R80.20 and R80.30. In R80.40, updatable objects are supported in HTTPS and Threat Prevention policies, as well.
To work well, the DNS set on the gateways must be the same as that used by the endpoints. Otherwise, the IP-domain mapping will not match.
In case of a change in DNS servers, the process WSDNSD must be restarted in order to use the new DNS servers.
Updateable Objects can be used in the NAT Rule Base starting R81 Security Management and Security Gateway (both are required).
The Security Gateway and Management must have connectivity to updates.checkpoint.com and dl3.checkpoint.com in order to be able to download the package. There are different packages for the GW and Management, and they are both downloaded directly from Check Point download center.
Updatable objects are supported on VSX, each VS configured with updatable objects must have connectivity to updates.checkpoint.com and dl3.checkpoint.com too.
To check connectivity using curl_cli: # curl_cli --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl
Updatable Objects are supported on Gaia Embedded in versions R80.20.15 and higher.
New updatable objects are added on a monthly basis. Updatable objects creation relies on common requests from customers to allow access to 3rd party services. Suggestions for additional Updatable objects can be submitted in the "Give us Feedback" section of the SecureKnowledge article, with the relevant information that will be rendered by R&D (who is responsible for adding new updatable objects). The most common suggestions will get highest priority:
Link to public content (IP addresses / Domains) maintained by the vendor.
Is it currently used in my policy?
Updatable objects are predefined objects maintained by Check Point.
Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then you can choose the relevant Service (as shown below):
Issues with importing Updatable Objects in SmartConsole: refer to sk122636.
In case the package of Updatable Objects is missing on the Security Gateway please make sure Security Gateway have access to the Download Center and follow the steps below:
DNS server(s) must be configured and reachable from the Security Gateway.
If required, Proxy Server should be configured (in SmartConsole) and reachable from the Security Gateway.
Run on your Gateway machine: unified_dl UPDATE ONLINE_SERVICES
Verify that the response is: Request was completed successfully.
Search the last_revision.xml file under $CPDIR/database/downloads/ONLINE_SERVICES/1.0/
If it exists, you now have the Online Services package on your Gateway and can run policy installation.
If the last_revision.xml file is missing, please contact support. We will need to troubleshoot why this file is not downloading properly.
When using "Office365 Services" updatable object in a policy rule, the traffic to other domains, like Facebook, also matches this rule. This happened since Office365 includes "Office365 Third Party Domains" which includes 3rd party domains with Microsoft. To review the full list of 3rd party domains, run the following command on the gateway that enforces the services object (Note: This list is dynamic updated by Microsoft): # domains_tool -uo "Office365 Third Party Domains"
Solution: Add another rule to block "Office365 Third Party Domains" updatable objects on top of the allow rules:
Check the log to find out which domain is allowed by the "Office365 Services" updatable object.
Find the URL object, or create a domain object for that one.
Use the new object and setup a block rule for it.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?