Dynamic Objects
Understanding Dynamic Objects
Profiles enable you to update large numbers of gateways using Dynamic Objects — logical objects whose values, IP addresses or ranges, are resolved differently per gateway. In other words, Dynamic Objects localize a general profile. You can create one SmartLSM Security Profile or Provisioning Profile that can be applied to any number of actual gateways.
Dynamic Objects are defined in SmartDashboard and referenced in Security Policies, NAT tables, and profiles.
Some Dynamic Objects are provided by default; however, if you want to create your own, to more efficiently manage your unique environment, you need to create these objects in SmartDashboard.
Benefits of Dynamic Objects
In SmartDashboard, create Dynamic Objects to hold values for SmartProvisioning gateways. This enables you to create rules, Security Policies, and SmartProvisioning SmartLSM Security Profiles that are can be re-used for numerous gateways.
Dynamic Objects enable you to:
- Create a VPN tunnel between CO gateways and SmartLSM Security Gateways.
- Represent generic servers that exist in remote sites and easily manage numerous remote servers from a central control.
- Install Security Policy rules with Dynamic Objects on SmartLSM Security Profiles, automatically localizing a generic rule for each gateway.
Dynamic Object Types
There are different types of Dynamic Objects, differentiated by how they are resolved.
- Automatically Resolved: Created by default whenever you create a new SmartLSM Security Gateway object, Auto-Resolved Dynamic Objects are replaced with their values as soon as the gateway loads an updated profile from the Security Management Server or Domain Management Server. These Dynamic Objects cannot be edited. See table below.
- Centrally Resolved: A Dynamic Object is created in SmartDashboard and for each SmartLSM Security Gateway, you define the IP address or range to which the Dynamic Object will be resolved.
Auto Resolved Dynamic Objects
Default Dynamic Object
|
Resolves to:
|
AuxiliaryNet
|
IP address range, based on the IP address and net mask of the interface configured as the Auxiliary network for the SmartLSM Security Gateway
|
DMZNet
|
IP address range, based on the IP address and net mask of the interface configured as the DMZ network for the SmartLSM Security Gateway
|
InternalNet
|
IP address range, based on the IP address and net mask of the LAN behind the SmartLSM Security Gateway configured as the Internal network
|
LocalMachine
|
External IP address of the SmartLSM Security Gateway, based on the IP address of the interface marked External
|
LocalMachine_All_Interfaces
|
DAIP machine interfaces, both static and dynamic
|
Dynamic Object Values
Dynamic Objects, created in SmartDashboard and used in Security Policy rules, are resolved to actual IP address or IP address ranges. When the Security Policy is fetched by a SmartLSM Security Profile for a SmartLSM Security Gateway, SmartProvisioning resolves the Dynamic Objects.
Dynamic Objects are automatically resolved whenever a gateway fetches a SmartLSM Security Profile from the Security Management Server or Domain Management Server.
You can also actively push the values of Dynamic Objects, ensuring that new values take effect immediately.
To push Dynamic Object values, select Actions > Push Dynamic Objects.
When a SmartLSM Security Gateway fetches its SmartLSM Security Profile, either on internal or by push, the SmartLSM Security Profile is localized for each gateway. Localization is performed in the following order:
- Anti-Spoofing and Encryption-Domain information are automatically calculated.
- Dynamic Objects are resolved, in the Automatic-Central-Local order.
- Relevant gateways are updated with Provisioning Profiles.
- The relevant Check Point Security Policy is installed or updated on SmartLSM Security Gateways.
Using Dynamic Objects
To use Dynamic Objects:
- In SmartDashboard, create the Dynamic Objects, the Security Policy that uses the Dynamic Objects, and the SmartProvisioning Profile that calls the Security Policy.
- In SmartProvisioning, add a SmartLSM Security Gateway based on the SmartLSM Security Profile, and then configure the gateway's Dynamic Object list to include and resolve the Dynamic Objects of the Security Policy.
User-Defined Dynamic Objects
Creating User-Defined Dynamic Objects
To create centrally and locally resolved Dynamic Objects:
- In SmartDashboard, select Manage > Network Objects > New > Dynamic Object.
- Provide the relevant information and click OK.
Configuring User-Defined Dynamic Object Values
If a fetched SmartLSM Security Profile includes Dynamic Objects for which you did not configure values, the firewall drops all packets that match any rules with these Unresolved Dynamic Objects. Therefore, you must be sure to define all Centrally Resolved Dynamic Objects, and verify that local administrators in remote and branch offices define the values for Locally Resolved Dynamic Objects.
After you have created a Dynamic Object in SmartDashboard, you can add it as a Dynamic Object to a SmartLSM Security Gateway, providing the exact IP address or range to which SmartProvisioning will resolve the Dynamic Object.
|
Note - The Dynamic Objects tab has an Add button, but this does not add new Dynamic Objects; it adds a new resolve-to value for the selected SmartLSM Security Gateway to an already defined Dynamic Object. If you click Add and have already resolved all defined Dynamic Objects, the following message will appear: All defined Dynamic Objects are already resolved. Use the Check Point SmartDashboard in order to add more Dynamic Objects.
|
To specify the resolution value of a user-defined Dynamic Object:
- Double-click a SmartLSM Security Gateway (either Security Gateway or UTM-1 Edge).
- In the Gateway window, select the Dynamic Objects tab.
- Click Add.
- From the Name drop-down list, select the Dynamic Object, as defined in SmartDashboard.
The Comments field displays the comments provided by the Dynamic Object creator.
- Select the relevant type of value:
- IP Address: If there is one IP address for the Dynamic Object value, select this option and provide the address.
- IP Address Range: If there is a range for the Dynamic Object value, select this option and provide the first and last IP addresses of this range.
- Click OK.
The Dynamic Object name is added to the Resolved Dynamic Objects table. If the value is a single IP address, this address is listed in the First IP column.
Dynamic Object Examples
The examples in this section show how to create rules in SmartDashboard, to create a Security Policy that uses Dynamic Objects. After you create the rule base, install it as a Security Policy on the SmartLSM Security Profile.
For each gateway assigned to the SmartLSM Security Profile, the Dynamic Objects are localized and resolved to the real IP addresses of each gateway. Therefore, for each gateway of a profile on which the Security Policy with the Dynamic Objects is installed, make sure that the gateway has these Dynamic Objects configured with real IP addresses and net masks.
|
Note - Remember that the LocalMachine Dynamic Object in the following examples will be resolved to the external IP address of the SmartLSM Security Gateway; it is not the IP address of the SmartConsole or the Security Management Server or Domain Management Server.
|
Hiding an Internal Network
This example uses the InternalNet and LocalMachine default Dynamic Objects to create a rule in a Security Policy that can be applied to any SmartLSM Security Profile object, and thus, to any number of gateways. This rule hides the internal network behind the external IP address of the SmartLSM Security Gateway.
Example — NAT Hide
Source
|
Destination
|
Service
|
Source
|
Destination
|
Service
|
InternalNet
|
Any
|
Any
|
LocalMachine(H)
|
Any
|
Any
|
Defining Static NAT for Multiple Networks
This example uses Dynamic Objects that you can define for yourself, according to the needs of your organization and the requirements for the SmartLSM Security Gateways. This rule configures static NAT on all incoming HTTP traffic going to a published IP address (the IP address is represented by a Dynamic Object called PublishedIP), as if it were going to a Web server (represented by a Dynamic Object called WebServer).
Example — Static NAT
Source
|
Destination
|
Service
|
Any
|
PublishedIP
|
HTTP
|
Any
|
WebServer
|
HTTP
|
Securing LAN-DMZ Traffic
This example uses the InternalNet and DMZNet default Dynamic Objects to secure traffic between a gateway's internal LAN and its DMZ. This example shows that when creating rules with Dynamic Objects, you should be careful that it is installed on the relevant SmartLSM Security Profile, the profile for which all its gateways have these Dynamic Objects configured.
LAN Rules
Source
|
Destination
|
VPN
|
Service
|
Action
|
Log
|
Install On
|
InternalNet
|
DMZNet
|
*Any Traffic
|
Any
|
Accept
|
None
|
Profile1
|
Allowing Gateway Ping
This example shows a rule that allows external hosts to ping the external IP address of a SmartLSM Security Gateway. It is installed on multiple profiles, allowing this rule to be part of numerous gateways.
External Hosts Rules
Source
|
Destination
|
VPN
|
Service
|
Action
|
Log
|
Install On
|
Any
|
LocalMachine
|
*Any Traffic
|
ICMP echo- request
|
Accept
|
None
|
Profile1
LSMProfile1
|
Tunneling Part of a LAN
This example uses a centrally resolved Dynamic Object to hold an IP address range that represents part of an internal LAN behind a SmartLSM Security Gateway. The complete range is 192.0.2.1 - 192.0.2.255. You want only 192.0.2.1 - 192.0.2.128 of this LAN to be in a VPN tunnel with the CO gateway.
In SmartDashboard, do the following:
- Create a Dynamic Objects called Safe_Internal.
- Add this object to the VPN community (called MyComm in this example) that includes the IP addresses of the CO gateway (MyCO) and its VPN domain (CO_VPN).
- Create a SmartLSM Security Profile object called MyProfile.
- Create a Security Policy with the following rules.
VPN with Range
Source
|
Destination
|
VPN
|
Service
|
Action
|
Install On
|
Any
|
LocalMachine
|
MyComm
|
ftp
telnet
|
Accept
|
MyCO
|
Safe_Internal
|
CO_VPN
|
MyComm
|
ftp
telnet
|
Accept
|
MyProfile
|
CO_VPN
|
Safe_Internal
|
MyComm
|
ftp
telnet
|
Accept
|
MyProfile
|
In SmartProvisioning, do the following:
- Make sure the SmartLSM Security Gateway with the internal LAN is assigned to MyProfile.
- Add Safe_Internal to the Dynamic Objects list of this gateway.
- Configure the IP address range of Safe_Internal to the safe range of the LAN: 192.0.2.1 - 192.0.2.128.
- Push the Dynamic Objects and then the policy to the SmartLSM Security Gateway.
|
