Updatable Objects

Introduction to Updatable Objects

An Updatable Object is a network object that represents an external service, such as Office 365, AWS, GEO locations, and more. External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated.

Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. each time the provider changes a list. There is no need to install policy for the updates to take effect.

You can use updatable objects in all three types of policies: Access Control, Threat Prevention, and HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

You can use an updatable object in the Access Control, Threat Prevention or the HTTPS Inspection policy as a Source or a Destination. In the Threat Prevention policy, you can also use an updatable object as the Protected Scope.

Notes:

For Access Control, this feature is supported on Security Gateways R80.20 and higher.
For Threat Prevention and HTTPS Inspection, this feature is supported on Security Gateways R80.40 and higher.
Updatable Objects cannot be added to a network group.

Adding an Updatable Object to the Access Control Policy

Make sure the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the Security Gateway have access to the Check Point cloud in the Internet (see sk83520).
Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server / Domain Management Server.
From the left navigation panel, click Security Policies.
In the top panel, click Access Control > Policy.
Add a new rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the required position.

In the Destination column, click the + icon.

Note - You can also add Updated objects in the Source column.

In the top right corner, click Import > Updatable Objects.

The Updatable Objects window opens.
Select the Updatable objects to add.
Click OK.

The selected Updatable objects are added in the rule column.
Configure other columns in this rule.
Publish the SmartConsole session.
Install the Access Control Policy.

Adding an Updatable Object to the Custom Threat Prevention Policy

Make sure the Security Management Server / Domain Management Server and the Security Gateway have access to the Check Point cloud in the Internet (see sk83520).
Connect with SmartConsole to the Security Management Server / Domain Management Server.
From the left navigation panel, click Security Policies.
In the top panel, click Threat Prevention > Custom Policy.
Add a new rule in the required position.
In the Protected Scope column, click the + icon.

In the top right corner, click Import > Updatable Objects.

The Updatable Objects window opens.

Note - You can also add objects to the Source column.

Select the Updatable objects to add.
Click OK.

The selected Updatable objects are added in the rule column.
Configure other columns in this rule.
Publish the SmartConsole session.
Install the Threat Prevention Policy.

Adding an Updatable Object to the HTTPS Inspection Policy

Make sure the Security Management Server / Domain Management Server and the Security Gateway have access to the Check Point cloud in the Internet (see sk83520).
Connect with SmartConsole to the Security Management Server / Domain Management Server.
From the left navigation panel, click Security Policies.
In the top panel, click the applicable policy:
- HTTPS Inspection > Inbound Policy
- HTTPS Inspection > Outbound Policy
Add a new rule in the required position.

In the Destination column, click the + icon.

Note - You can also add Updated objects in the Source column.

In the top right corner, click Import > Updatable Objects.

The Updatable Objects window opens.
Select the Updatable objects to add.
Click OK.

The selected Updatable objects are added in the rule column.
Configure other columns in this rule.
Publish the SmartConsole session.
Install the HTTPS Inspection Policy.

Monitoring Updatable Objects

You can monitor how the Updatable Objects update their corresponding IP addresses in SmartConsole or SmartView in the Logs & Events view > the Logs tab.

Follow the most applicable procedure for you.

Procedure 1 - Show all logs for the slected Updatable object from a policy

From the left navigation panel, click Security Policies.
In the top panel, click the applicable policy:
- Access Control > Policy
- Threat Prevention > Custom Policy
Locate a rule that contains the relevant Updated object.
Hover the moouse cursor over the Updated object.
In the menu that appears, click the Show Logs icon (the clipboard icon).

The Logs window opens and contains the name of the Updatable Object Network object that represents an external service, such as Microsoft 365, AWS, Geo locations, and more. enclosed in double quotes in the top search field.
On the left side, select the applicable period.
Double-click the relevant log entry.

The Log Details window opens.
When the update is successful, the Status field shows:

Succeeded

Updating the Updatable Objects through the Management Server

Important - This feature is available in the R81.20 Jumbo Hotfix Accumulator, Take 96 and higher (PMTR-102617).

If your Security Gateway is not connected to the Internet, then it can get the updates for the Updatable Objects through the Management Server (that would act as a proxy server):

Connect to the command line on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group.
Log in to the Expert mode.

Back up the current configuration file:

cp -v $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml{,_BKP}

Edit the current configuration file:

vi $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml

Change the value of the "ProxyRoute" parameter from 0 to 1:

<ProxyRoute>1</ProxyRoute>

Example (refer to the bottom of the file):

Copy

<?xml version="1.0" encoding="UTF-8"?>
<DownloadPreferences>
    <ModuleName>Online_Services</ModuleName>
    <ID>111</ID>
    <Version>1.0</Version>
    <Files>online_services_gw.tgz</Files>
    <DeletionMethod>2</DeletionMethod>
    <Interval>120</Interval>
    <SVT_Log_ID>Firewall</SVT_Log_ID>
    <SVT_Log_Desc>IPs and Domains for Online Services objects</SVT_Log_Desc>
    <SVT_Log_Severity>2</SVT_Log_Severity>
    <SVT_Log_Failure_Impact>Online Services objects update has failed</SVT_Log_Failure_Impact>
    <CK_Identifier>fw1:6.0:xlate</CK_Identifier>
    <CK_Identifier>fw1:6.0:auth</CK_Identifier>
    <CK_Identifier>fw1:6.0:content</CK_Identifier>
    <URL>https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl</URL>
    <Updatable>Yes</Updatable>
    <ProxyRoute>1</ProxyRoute>
</DownloadPreferences>

Save the changes in the file and exit the editor.

On Scalable Platform Security Group, copy the modified file to all Security Group Members:

asg_cp2blades $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml