CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Best practice for outgoing traffic for specific service (eg. Office 365)

  1. #1
    Join Date
    2016-09-26
    Posts
    1
    Rep Power
    0

    Default Best practice for outgoing traffic for specific service (eg. Office 365)

    Hi,

    this is a very common problem, but I still have no idea what is the best way to accomplish this in Checkpoint world. Let's take Office 365 as an example:

    - We need to grant access to SMTP(S) and IMAP(S) for Office 365 on the internet
    - The documentation of MS says: Open port xyz to host outlook.office365.com (which returns more than one ip, geo/dynamic DNS)
    - There are NO proper reverse (PTR) dns records, so Checkpoint domain object will not work

    As from my Fortinet experience, there you could use a FQDN object which is periodically resolved by the firewall to IP addresses. But how to do it on Checkpoint?

    Is there any way to solve this other then getting all Microsoft Office 365 subnets, create proper objects and maintain the objects?

    Unfortunately there is nothing available on the application blade for O365 IMAP/SMTP, only http(s) as I understand.

    Regards
    Markus

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Best practice for outgoing traffic for specific service (eg. Office 365)

    Domain objects in R80.10 should support this use case.

    Meanwhile, you can use a dynamic object that's auto-populated based on DNS: https://bitbucket.org/chkp/dynobj/overview
    Note this disables SecureXL connection templates so you want to put rules with these objects near the bottom of your rulebase.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Best practice for outgoing traffic for specific service (eg. Office 365)

    Quote Originally Posted by PhoneBoy View Post
    Domain objects in R80.10 should support this use case.

    Meanwhile, you can use a dynamic object that's auto-populated based on DNS: https://bitbucket.org/chkp/dynobj/overview
    Note this disables SecureXL connection templates so you want to put rules with these objects near the bottom of your rulebase.
    Can you detail this option a bit more? What should be configured on the SmartDashboard side on R77.20 ?

  4. #4
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Best practice for outgoing traffic for specific service (eg. Office 365)

    Quote Originally Posted by laf_c View Post
    Can you detail this option a bit more? What should be configured on the SmartDashboard side on R77.20 ?
    @phoneboy: Can you elaborate on the R80 should be able to support this. Are you referring to the domain objects? Are you saying that in R80, checkpoint domain objects will work without requiring proper PTR records?

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Best practice for outgoing traffic for specific service (eg. Office 365)

    Quote Originally Posted by laf_c View Post
    Can you detail this option a bit more? What should be configured on the SmartDashboard side on R77.20 ?
    Dynamic Objects are just an object type in SmartDashboard--a placeholder, if you will.
    The actual configuration for the object (i.e. what the dynamic object resolves to) is configured on the Security Gateway itself using the dynamic_objects CLI command.
    There are a handful of Dynamic Objects that are built in and auto-populated (e.g. LocalMachine, LocalMachine_All_Interfaces, DShield).

    The referenced script provides a way to manipulate specific dynamic objects using forward lookup DNS names.
    The script itself can run from anywhere that meets the requirements for the script.
    However, the script will log into the Security Gateway to make the appropriate changes.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Best practice for outgoing traffic for specific service (eg. Office 365)

    Quote Originally Posted by cciesec2006 View Post
    @phoneboy: Can you elaborate on the R80 should be able to support this. Are you referring to the domain objects? Are you saying that in R80, checkpoint domain objects will work without requiring proper PTR records?
    I'm not sure if it's will be a new object type or if it will be a flag you have to set on the existing Domain objects.
    Either way, the idea is that there will be a way to create an object using an FQDN, which will resolve to one or more IPs using forward DNS lookups.
    This is expected in R80.10.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Service Based Link Selection in specific conditions
    By Quixel in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2012-11-21, 10:29
  2. Not log specific service on Any rule
    By onnig in forum SmartView Tracker
    Replies: 3
    Last Post: 2007-12-04, 12:48
  3. What's the point of service-specific NAT if you're not changing the port?
    By RayPesek in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2007-05-24, 18:45
  4. FW/VPN NGX R60 ignores outgoing connections in Office Mode
    By a_r_schulz in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2007-05-07, 06:43
  5. IP address of ClusterXL outgoing traffic
    By bgrenda in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 11
    Last Post: 2006-11-07, 11:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •