Support Center > Search Results > SecureKnowledge Details
Updatable Objects Technical Level
Solution

An updatable object is a network object that represents an external service, such as Office 365, AWS, GEO locations and more. External service providers publish lists of IP addresses or domains or both, to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect. The updatable object can be used in Access Control policy's source and destination columns.

Starting from R80.20, updateable objects are supported for the Access Rule Base (the main rule base).

Starting from R80.40, updateable objects are supported for the HTTPSi Rule Base.

Starting from R81, updateable objects are supported for the NAT Rule Base.

The table below shows the currently supported external services for updatable objects. To request an updatable object for an external service that does not appear in the table, submit a Request for Enhancement.

Feed Description
Amazon Web Services (AWS) Amazon Web Services (abbreviated AWS) is a collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the Internet by Amazon.

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Azure Microsoft Azure is a collection of cloud computing services created by Microsoft, services like Azure SQL, Storage, Traffic Manager, Cloud, Cosmos DB, Event Hub, Key Vault and Service Bus.
Azure is divided into three areas:

Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519

China: https://www.microsoft.com/en-us/download/details.aspx?id=57062

US Government: https://www.microsoft.com/en-us/download/details.aspx?id=57063
Box Box focuses on cloud content management and file sharing service for businesses. Official clients and apps are available for Windows, macOS, and several mobile platforms.

https://support.box.com/hc/en-us/articles/360043696434-Configuring-A-Firewall-For-Box-Applications
Check Point Provides list of Check Point's online security services domains. See sk83520.
Citrix Citrix contains allowed FQDNs for cloud connector

System and Connectivity Requirements | Citrix Cloud
Dropbox Dropbox is a file hosting service, offers cloud storage, file synchronization, personal cloud and client software.

https://help.dropbox.com/accounts-billing/security/official-domains
GEO Locations The Geo database is downloaded from MaxMind, a leading provider of IP Intelligence and online fraud prevention tools.
MaxMind provides mapping of location data for IP addresses. The server downloads the updated database from MaxMind on a weekly basis.
See sk126172.
GitHub GitHub is a provider of Internet hosting for software development and version control using Git.

https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses
Google Google Cloud Platform and Google G-Suite services publish their IP addresses on Google's SPF records, which can be dynamically updated.

https://support.google.com/a/answer/10026322

https://cloud.google.com/compute/docs/faq#networking
HTTPS In some well-known HTTPS services, HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic. If you choose to bypass specific HTTPS services to avoid connectivity issues, they will not perform HTTPS Inspection. See sk163595.
Intune Microsoft Intune is a cloud-based service that focuses on mobile device management and mobile application management.

https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
McAfee McAfee is an American global computer security software company. See KB87232
Microsoft Defender This is a Microsoft Defender object and all its content is subject to Microsoft Defender IPs and Domains. The Microsoft Defender for Endpoint delivers preventative protection, post-breach detection, automated investigation, and response.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/?view=o365-worldwide
Microsoft Dynamics CRM The Dynamics Customer Relationship Management (CRM) is a system for managing a company's interactions with current and future customers, using technology to organize, automate, and synchronize sales, marketing, customer service, and technical support.

https://support.microsoft.com/en-us/topic/microsoft-dynamics-crm-online-ip-address-ranges-0b22a844-e61d-443b-482f-945de79f764d
Office365 Microsoft Office 365 cloud services, such as Skype for Business Online, Exchange Online and more, are commonly used by organizations.
Office365 is divided into three areas:
Third Party Domains, US Government DoD Services, GCC High Services and Worldwide Services.

https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide
Okta Okta is an identity management service, runs in the cloud and connects any person with any application on any device.

https://help.okta.com/en/prod/Content/Topics/Security/Firewall_Whitelisting.htm
Quantum Spark Smart Accel Improves connectivity and optimizes the load on the Quantum Spark Security Gateway. Once enabled, traffic enforcement is accelerated for selected services.

Note: Firewall and logging activity is not affected. Smart Accel is currently in EA and is only supported in locally managed Gaia Embedded appliances / Quantum Spark Security Gateways running version R81.10 and higher.
Salesforce This is a Salesforce object and all its content is subject to Salesforce IPs. Salesforce provides customer relationship management service and also provides enterprise applications focused on customer service, marketing automation, analytics, and application development.

https://help.salesforce.com/s/articleView?id=000321501&type=1
SAP This is a SAP object and all its content is subject to SAP. SAP develops enterprise software to manage business operations and customer relations and especially known for its ERP software.

https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/d722f7cea9ec408b85db4c3dcba07b52.html
Webex Webex provides on-demand collaboration, online meeting, web conferencing and videoconferencing applications.

https://help.webex.com/en-us/WBX000028782/Network-Requirements-for-Webex-Services#id_135011
Zoom Zoom is an enterprise video communications, provides a cloud platform for video and audio conferencing across mobile devices, desktops, telephones and room systems.

https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom
Zscaler Zscaler is a cloud-based information security company which provides secure access to locally hosted and external applications.

https://config.zscaler.com/zscaler.net/cenr



Notes 

  • This feature is only supported for R80.20 and higher gateways.
  • Updatable objects are not supported in HTTPS Inspection policy in R80.20 and R80.30.
    In R80.40, updatable objects are supported in HTTPS and Threat Prevention policies, as well.
  • To work well, the DNS set on the gateways must be the same as that used by the endpoints. Otherwise, the IP-domain mapping will not match.
  • In case of a change in DNS servers, the process WSDNSD must be restarted in order to use the new DNS servers.
  • Updateable Objects can be used in the NAT Rule Base starting R81 Security Management and Security Gateway (both are required).
  • The Security Gateway and Management must have connectivity to updates.checkpoint.com and dl3.checkpoint.com in order to be able to download the package. There are different packages for the GW and Management, and they are both downloaded directly from Check Point download center.
  • Updatable objects are supported on VSX, each VS configured with updatable objects must have connectivity to updates.checkpoint.com and dl3.checkpoint.com too.
  • To check connectivity using curl_cli:
    # curl_cli --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl
  • Updatable Objects are supported on Gaia Embedded in versions R80.20.15 and higher.

    New updatable objects are added on a monthly basis. Updatable objects creation relies on common requests from customers to allow access to 3rd party services.
    Suggestions for additional Updatable objects can be submitted in the "Give us Feedback" section of the SecureKnowledge article, with the relevant information that will be rendered by R&D (who is responsible for adding new updatable objects). The most common suggestions will get highest priority:
    • Service name.
    • Link to public content (IP addresses / Domains) maintained by the vendor.
    • Is it currently used in my policy?

    Updatable objects are predefined objects maintained by Check Point.


    Usage

    Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then you can choose the relevant Service (as shown below):







    Troubleshooting

    1. Issues with importing Updatable Objects in SmartConsole: refer to sk122636.
    2. In case the package of Updatable Objects is missing on the Security Gateway please make sure Security Gateway have access to the Download Center and follow the steps below:
      1. DNS server(s) must be configured and reachable from the Security Gateway.
      2. If required, Proxy Server should be configured (in SmartConsole) and reachable from the Security Gateway.
      3. Run on your Gateway machine: unified_dl UPDATE ONLINE_SERVICES
      4. Verify that the response is: Request was completed successfully.
      5. Search the last_revision.xml file under $CPDIR/database/downloads/ONLINE_SERVICES/1.0/
      6. If it exists, you now have the Online Services package on your Gateway and can run policy installation.
      7. If the last_revision.xml file is missing, please contact support. We will need to troubleshoot why this file is not downloading properly.
      8. Reboot.

    Scenario - Office365 Updatable object allowing additional domain

    When using "Office365 Services" updatable object in a policy rule, the traffic to other domains, like Facebook, also matches this rule. This happened since Office365 includes "Office365 Third Party Domains" which includes 3rd party domains with Microsoft.
    To review the full list of 3rd party domains, run the following command on the gateway that enforces the services object (Note: This list is dynamic updated by Microsoft):
    # domains_tool -uo "Office365 Third Party Domains"

    Solution:
    Add another rule to block "Office365 Third Party Domains" updatable objects on top of the allow rules:
    1. Check the log to find out which domain is allowed by the "Office365 Services" updatable object.
    2. Find the URL object, or create a domain object for that one.
    3. Use the new object and setup a block rule for it.

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment