Updatable Objects

An Updatable Object is a network object that represents an external service, such as Office 365, AWS, GEO locations, and more. External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated.

Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. each time the provider changes a list. There is no need to install policy for the updates to take effect.

You can use updatable objects in all three types of policies: Access Control, Threat Prevention, and HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

You can use an updatable object in the Access Control, Threat Prevention or the HTTPS Inspection policy as a Source or a Destination. In the Threat Prevention policy, you can also use an updatable object as the Protected Scope.

Notes:

  • For Access Control, this feature is supported on Security Gateways R80.20 and higher.

  • For Threat Prevention and HTTPS Inspection, this feature is supported on Security Gateways R80.40 and higher.

  • Updatable Objects cannot be added to a network group.

Adding an Updatable Object to the Security Policy

A customer uses Office365 and wants to allow access to Microsoft Exchange services.

To add the Microsoft Exchange Updatable Object to the Security Gateway

  1. Make sure the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and the Security Gateway have access to the Check Point cloud.

  2. Go to SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Security Policies > Access Control > Policy.

  3. Create a new ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

  4. In the Destination column, click the + sign and select Import > Updatable Objects.

    The Updatable Objects window opens.

  5. Select the objects to add. For this use case, select the Exchange Services object.

    Note - You can also add objects to the Source column.

  6. Click OK.

  7. Install policy.

The Exchange Services object is added to the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

No

Name

Source

Destination

VPN

Services & Applications

Action

Track

1

Accept Exchange

WirelessZone

Exchange Services

Any

Any

Accept

Log

2

Accept Exchange

Exchange Services

WirelessZone

Any

Any

Accept

Log

You can monitor the updates in the Logs & Monitor > Logs view.

To monitor the updates

  1. Go to SmartConsole > Logs & Monitor.

  2. From the search bar, enter Updatable Objects.

  3. Double-click the relevant log.

    The Log Details window shows.

  4. Succeeded shows in the Status field when the update is successful.

Updating the Updatable Objects through the Management Server

Important - This feature is available in the R81.10 Jumbo Hotfix Accumulator, Take173 and higher (PMTR-102617).

If your Security Gateway is not connected to the Internet, then it can get the updates for the Updatable Objects through the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (that would act as a proxy server):

  1. Connect to the command line on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster. / Scalable PlatformSecurity Group.

  2. Log in to the Expert mode.

  3. Back up the current configuration file:

    cp -v $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml{,_BKP}

  4. Edit the current configuration file:

    vi $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml

  5. Change the value of the "ProxyRoute" parameter from 0 to 1:

    <ProxyRoute>1</ProxyRoute>

    Example (refer to the bottom of the file):

    Copy 
    <?xml version="1.0" encoding="UTF-8"?>
    <DownloadPreferences>
        <ModuleName>Online_Services</ModuleName>
        <ID>111</ID>
        <Version>1.0</Version>
        <Files>online_services_gw.tgz</Files>
        <DeletionMethod>2</DeletionMethod>
        <Interval>120</Interval>
        <SVT_Log_ID>Firewall</SVT_Log_ID>
        <SVT_Log_Desc>IPs and Domains for Online Services objects</SVT_Log_Desc>
        <SVT_Log_Severity>2</SVT_Log_Severity>
        <SVT_Log_Failure_Impact>Online Services objects update has failed</SVT_Log_Failure_Impact>
        <CK_Identifier>fw1:6.0:xlate</CK_Identifier>
        <CK_Identifier>fw1:6.0:auth</CK_Identifier>
        <CK_Identifier>fw1:6.0:content</CK_Identifier>
        <URL>https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl</URL>
        <Updatable>Yes</Updatable>
        <ProxyRoute>1</ProxyRoute>
    </DownloadPreferences>

  6. Save the changes in the file and exit the editor.

  7. On Scalable PlatformSecurity Group, copy the modified file to all Security Group Members:

    asg_cp2blades $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml

  8. To apply the new proxy value, restart Check Point services. On the Security Gateway, run:

    cpstop; cpstart

    Important - Running the cpstop command on a Check Point Security Gateway stops all Check Point services, including Firewall, VPN, and Software Blades.