Best practice for outgoing traffic for specific service (eg. Office 365)

[coyote]

Hi,

this is a very common problem, but I still have no idea what is the best way to accomplish this in Checkpoint world. Let's take Office 365 as an example:

- We need to grant access to SMTP(S) and IMAP(S) for Office 365 on the internet
- The documentation of MS says: Open port xyz to host outlook.office365.com (which returns more than one ip, geo/dynamic DNS)
- There are NO proper reverse (PTR) dns records, so Checkpoint domain object will not work

As from my Fortinet experience, there you could use a FQDN object which is periodically resolved by the firewall to IP addresses. But how to do it on Checkpoint?

Is there any way to solve this other then getting all Microsoft Office 365 subnets, create proper objects and maintain the objects?

Unfortunately there is nothing available on the application blade for O365 IMAP/SMTP, only http(s) as I understand.

Regards
Markus

[PhoneBoy]

Domain objects in R80.10 should support this use case.

Meanwhile, you can use a dynamic object that's auto-populated based on DNS: https://bitbucket.org/chkp/dynobj/overview
Note this disables SecureXL connection templates so you want to put rules with these objects near the bottom of your rulebase.

[laf_c]

Domain objects in R80.10 should support this use case.

Meanwhile, you can use a dynamic object that's auto-populated based on DNS: https://bitbucket.org/chkp/dynobj/overview
Note this disables SecureXL connection templates so you want to put rules with these objects near the bottom of your rulebase.

Can you detail this option a bit more? What should be configured on the SmartDashboard side on R77.20 ?

[cciesec2006]

Can you detail this option a bit more? What should be configured on the SmartDashboard side on R77.20 ?

@phoneboy: Can you elaborate on the R80 should be able to support this. Are you referring to the domain objects? Are you saying that in R80, checkpoint domain objects will work without requiring proper PTR records?

[PhoneBoy]

Can you detail this option a bit more? What should be configured on the SmartDashboard side on R77.20 ?

Dynamic Objects are just an object type in SmartDashboard--a placeholder, if you will.
The actual configuration for the object (i.e. what the dynamic object resolves to) is configured on the Security Gateway itself using the dynamic_objects CLI command.
There are a handful of Dynamic Objects that are built in and auto-populated (e.g. LocalMachine, LocalMachine_All_Interfaces, DShield).

The referenced script provides a way to manipulate specific dynamic objects using forward lookup DNS names.
The script itself can run from anywhere that meets the requirements for the script.
However, the script will log into the Security Gateway to make the appropriate changes.

[PhoneBoy]

@phoneboy: Can you elaborate on the R80 should be able to support this. Are you referring to the domain objects? Are you saying that in R80, checkpoint domain objects will work without requiring proper PTR records?

I'm not sure if it's will be a new object type or if it will be a flag you have to set on the existing Domain objects.
Either way, the idea is that there will be a way to create an object using an FQDN, which will resolve to one or more IPs using forward DNS lookups.
This is expected in R80.10.