Managing Objects

In This Section: Object Categories Working with Objects Object Tags Network Object Types

Network Objects, defined in SmartConsole and stored in the proprietary Check Point object database, represent physical and virtual network components (such as gateways, servers, and users), and logical components (such as IP address ranges and Dynamic Objects). Before you create Network Objects, analyze the needs of your organization:

• What are the physical components of your network: devices, hosts, gateways and their active Software Blades?
• What are the logical components: services, resources, applications, ranges?
• Who are the users? How should you group them, and with what permissions?

Object Categories

Objects in SmartConsole represent networks, devices, protocols and resources. SmartConsole divides objects into these categories:

Icon	Object Type	Examples
	Network Objects	Gateways, hosts, networks, address ranges, dynamic objects, security zones
	Services	Services, Service groups
	Custom Applications/Sites	Applications, Categories, Mobile applications
	VPN Communities	Site to Site or Remote Access communities
	Users	Users, user groups, and user templates
	Data Types	International Bank Account Number - IBAN, HIPAA - Medical Record Number - MRN, Source Code.
	Servers	Trusted Certificate Authorities, RADIUS, TACACS
	Time Objects	Time, Time groups
	UserCheck Interactions	Message windows: Ask, Cancel, Certificate Template, Inform, and Drop
	Limit	Download and upload bandwidth

Working with Objects

You can add, edit, delete, and clone objects. A clone is a copy of the original object, with a different name. You can also replace one object in the Policy with another object.

Note - Do not create two objects with the same name. You will see a validation error when you try to publish. To resolve, change one of the object names.

To work with objects, right-click the object in the object tree or in the Object Explorer, and select the action.

You can delete objects that are not used, and you can find out where an object is used.

To clone an object:

1. In the object tree or in the Object Explorer, right-click the object and select Clone.

   The Clone Object window opens.

2. Enter a name for the cloned object.
3. Click OK.

To find out where an object is used:

In the object tree or in the Object Explorer, right-click the object and select Where Used.

To replace an object with a different object:

1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
2. Click the Replace icon.
3. From the Replace with list, select an item.
4. Click Replace.

To delete all instances of an object:

1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
2. Click the Replace icon.
3. From the Replace with list, select None (remove item).
4. Click Replace.

Object Tags

Object tags are keywords or labels that you can assign to the network objects or groups of objects for search purposes. These are the types of tags you can assign:

• User tags - Assigned manually to individual objects or groups of objects
• System tags - Predefined keywords, such as "application"

Each tag has a name and a value. The value can be static, or dynamically filled by detection engines.

Adding a Tag to an Object

To add a tag to an object:

1. Open the network object for editing.
2. In the Add Tag field, enter the label to associate with this object.
3. Press Enter.

   The new tag shows to the right of the Add Tag field.

4. Click OK.

Network Object Types

In This Section: Networks Network Groups Check Point Hosts Gateway Cluster Updatable Objects Adding an Updatable Object to the Security Policy More Network Object Types

Networks

A Network is a group of IP addresses defined by a network address and a net mask. The net mask indicates the size of the network.

A Broadcast IP address is an IP address which is destined for all hosts on the specified network. If this address is included, the Broadcast IP address will be considered as part of the network.

Network Groups

A network group is a collection of hosts, gateways, networks or other groups. Groups can be used to facilitate and simplify network management. When you have the same set of objects which you want to use in different places in the Rule Base, you can create a group to include such set of objects and reuse it. Modifications are applied to the group instead of to each member of the group.

Groups are also used where SmartConsole lets you select only one object, but you need to work with more than one. For example, in the gateway editor > Network Management > VPN Domain > Manually defined, you can only select on object from the drop-down menu. If you want to select more than one object for your VPN Domain, you can create a group, add the required objects to the group, and select the group from the drop-down menu.

Grouping Network Objects

To create a group of network objects:

1. In the Objects tree, click New > Network Group.

   The New Network Group window opens.

2. Enter a name for the group
3. Set optional parameters:
   • Object comment
   • Color
   • Tag (as custom search criteria)
4. For each network object you want to add, click the [+] sign and select it from the list that shows.
5. Click OK.

From R80.20.M2, you can also associate groups to a network object directly from the object editor.

To associate groups to a network object:

1. Open the object editor, and go to Groups in the navigation tree.
2. For each group you want to add, click the [+] sign and select it from the list that shows.

Check Point Hosts

A Check Point Host can have multiple interfaces but no routing takes place. It is an endpoint that receives traffic for itself through its interfaces. (In comparison, a Security Gateway routes traffic between its multiple interfaces.) For example, if you have two unconnected networks that share a common Security Management Server and Log Server, configure the common server as a Check Point Host object.

A Check Point Host has one or more Software Blades installed. But if the Firewall blade is installed on the Check Point Host, it cannot function as a firewall. The Host requires SIC and other features provided by the actual firewall.

A Check Point Host has no routing mechanism, is not capable of IP forwarding, and cannot be used to implement Anti-spoofing. If the host must do any of these, convert it to be a Security Gateway.

The Security Management Server object is a Check Point Host.

Note - When you upgrade to R80.30 from R77.30 or earlier versions, Node objects are converted to Host objects.

Gateway Cluster

A gateway cluster is a group of Security Gateways with Cluster software installed: ClusterXL, or another Clustering solution. Clustered gateways add redundancy through High Availability or Load Sharing.

Updatable Objects

An updatable object is a network object which represents an external service, such as Office 365, AWS, GEO locations and more. External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect. You can use an updatable object in the Access Control policy as a source or a destination.

• For more on updatable objects and list of objects currently supported, see: sk173416

Note - This feature is only supported for R80.20 and above gateways.

Adding an Updatable Object to the Security Policy

A customer uses Office365 and wants to allow access to Microsoft Exchange services.

To add the Microsoft Exchange Updatable Object to the Security Gateway:

1. Make sure the Security Management Server and the Security Gateway have access to the Check Point cloud.
2. Go to SmartConsole > Security Policies > Access Control > Policy.
3. Create a new rule.
4. In the Destination column, click the + sign and select Import > Updatable Objects.

   The Updatable Objects window opens.

5. Select the objects to add. For this use case, select the Exchange Services object.

   Note - You can also add objects to the Source column.

6. Click OK.
7. Install policy.

The Exchange Services object is added to the Rule Base.

No	Name	Source	Destination	VPN	Services & Applications	Action	Track
1	Accept Exchange	WirelessZone	Exchange Services	Any	Any	Accept	Log
2	Accept Exchange	Exchange Services	WirelessZone	Any	Any	Accept	Log

You can monitor the updates in the Logs & Monitor Logs view.

To monitor the updates:

1. Go to SmartConsole > Logs & Monitor.
2. From the search bar, enter Updatable Objects.
3. Double-click the relevant log.

   The Log Details window shows.

4. Succeeded shows in the Status field when the update is successful.

More Network Object Types

Address Ranges

An address range is a range of IP addresses on the network, defined by the lowest and the highest IP addresses. Use an Address Range object when you cannot define a range of IP addresses by a network IP and a net mask. The Address Range objects are also necessary for the implementation of NAT and VPN.

Using Wildcard Objects

Wildcard objects let you define IP address objects that share a common pattern that can be permitted or denied access in a security policy.

Note - This feature is only supported for R80.20 and above gateways.

To create a new wildcard object:

1. Open Object Explorer > New > More > Network Object > Wildcard object.
2. Enter the Wildcard IP address and Wildcard Netmask in IPv4 or IPv6 Format.
3. Click OK.

Understanding Wildcard Objects

The wildcard object contains a wildcard IP address and a wildcard netmask.

The wildcard netmask is the mask of bits that indicate which parts of the IP address must match and which do not have to match. For example:

Wildcard IP:	194.	29.	0.	1
Wildcard Netmask:	0.	0.	3.	0

The third octet represents the mask of bits. If we convert the 3 to binary, we get 00000011. The 0 parts of the mask must match the equivalent bits of the IP address. The 1 parts of the mask do not have to match, and can be any value.

0	0	0	0	0	0	1	1
Must match the equivalent bits in the IP address						Do not have to match

The binary netmask produces these possible decimal values:

128	64	32	16	8	4	2	1
						Binary			Decimal
0	0	0	0	0	0	0	0		0
0	0	0	0	0	0	0	1		1
0	0	0	0	0	0	1	0		2
0	0	0	0	0	0	1	1		3

The netmask permits only these IP addresses:

• 194.29.0.1
• 194.29.1.1
• 192.29.2.1
• 194.29.3.1

Use Cases

Scenario One

A supermarket chain has all of its cash registers on subnet 194.29.x.1, where x defines the region. In this use case, all the cash registers in this region must have access to the database server at 194.30.1.1.

Instead of defining 256 hosts (194.29.0.1, 194.29.1.1, 194.29.2.1....194.29.255.1), the administrator creates a wildcard object that represents all the cash registers in the region:

Wildcard IP:	194.	29.	0.	1
Wildcard Mask:	0.	0.	255.	0

The wildcard object can now be added to the access control policy.

Source	Destination	Action	Track
Wildcard Object	Database server object	Accept	Log

Scenario Two

In this use case, a supermarket chain has stores in Europe and Asia.

The 192.30.0-255.1 network contains both the Asian and European regions, and the stores within those regions.

Item	Description
1	Database Server for Europe
2	Database Server for Asia
3	European and Asia network

The administrator wants stores in the European and Asia regions to access different database servers. In this topology, the third octet of the European and Asia network's IP address will be subject to a wildcard. The first four bits of the wildcard will represent the region and the last four bits will represent the store number.

Bits that represent the region	Bits that represent the store number
0000	0000

In the Wildcard IP:

• The Asia region is represented by 0001xxxx (Region 1 in decimal)
• The European region is represented by 0010xxxx (Region 2 in decimal)

In binary:

Binary		Decimal
Region	Store
0001	0000	16 - Asia Region
0010	0000	32 - European Region

To include all the stores of a particular region, the last four bits of the wildcard mask must be set to 1 (15 in Decimal):

Binary		Decimal
Region	Store
xxxx	1111	15 - all Asian stores
xxxx	1111	15 - all European stores

A wildcard object that represents all the Asian stores will look like this:

Wildcard IP address	192.30.16.1	(The region)
Wildcard netmask	0.0.15.0	(for stores in the region)

For this range of IP addresses: 192.30.16-31.1

A wildcard object that represents all the European stores will look like this:

Wildcard IP address	192.30.32.1	(the region)
Wildcard netmask	0.0.15.0	(for stores in the region)

For this range of IP addresses: 192.30.32-47.1

The administrator can now use these wildcard objects in the access control policy:

Source	Destination	Action	Track
Asian Stores Wildcard	Database Server for Asia	Accept	Log
European Stores Wildcard	Database Server for Europe	Accept	Log

Scenario Three

In this scenario, the netmask bits are not consecutive.

Wildcard IP	1	1	0	1
Wildcard mask	0	0	5	0

Wildcard IP	00000001.00000001.00000000.00000001
Wildcard Mask	00000000.00000000.00000101.00000000

Mask:

00	01	02	03	04	05	06	07	08	09	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	1	0	1	0	0	0	0	0	0	0	0

Which will match only these IP addresses:

IP Address	Binary	Comment
1.1.0.1	00000001.00000001.00000000.00000001	The IP address itself
1.1.1.1	00000001.00000001.00000001.00000001	The equivalent bit at position 23 does not matter
1.1.4.1	00000001.00000001.00000100.00000001	The equivalent bit at position 21 does not matter
1.1.5.1	00000001.00000001.00000101.00000001	The equivalent bits at positions 21 and 23 do not matter

IPv6

The same principles apply to IPv6 addresses. For example, if the wildcard object has these values:

IPv6 Address	2001::1:10:0:1:41
Wildcard netmask	0::ff:0:0

The wildcard will match: 2001::1:10:0-255:1:41

Domains

A Domain object lets you define a host or DNS domain by its name only. It is not necessary to have the IP address of the site.

You can use the Domain object in the source and destination columns of an Access Control Policy.

You can configure a Domain object in two ways:

• Select FQDN

  In the object name, use the Fully Qualified Domain Name (FQDN). Use the format .x.y.z (with a dot "." before the FQDN). For example, if you use .www.example.com then the Gateway matches www.example.com

  This option is supported for R80.10 and higher, and is the default. It is more accurate and faster than the non-FQDN option.

  The Security Gateway looks up the FQDN with a direct DNS query, and uses the result in the Rule Base.

  This option supports SecureXL Accept templates. Using domain objects with this option in a rule has no effect on the performance of the rule, or of the rules that come after it.

• Clear FQDN

  This option enforces the domain and its sub-domains. In the object name, use the format .x.y for the name. For example, use .example.com or .example.co.uk for the name. If you use .example.com, then the Gateway matches www.example.com and support.example.com

  The Gateway does the name resolution using DNS reverse lookups, which can be inaccurate. The Gateway uses the result in the Rule Base, and caches the result to use again.

  When upgrading from R77, this option is enforced.

Dynamic Objects

A dynamic object is a "logical" object where the IP address is resolved differently for each Security Gateway, using the dynamic_objects command.

For R80.10 Security Gateways and higher, dynamic objects support SecureXL Accept templates. Therefore, there is no performance impact on a rule that uses a dynamic object, or on rules that come after it.

Dynamic Objects are predefined for LocalMachine-all-interfaces. The DAIP computer interfaces (static and dynamic) are resolved into this object.

Security Zones

Security Zones let you to create a strong Access Control Policy that controls the traffic between parts of the network.

A Security Zone object represents a part of the network (for example, the internal network or the external network). You assign a network interface of a Security Gateway to a Security Zone. You can then use the Security Zone objects in the Source and Destination columns of the Rule Base.

Use Security Zones to:

• Simplify the Policy. Apply the same rule to many Gateways.
• Add networks to Gateways interfaces without changing the Rule Base.

For example, in the diagram, we have three Security Zones for a typical network: ExternalZone (1), DMZZone (2) and InternalZone (3).

• Gateway (4) has three interfaces. One interface is assigned to ExternalZone (1), one interface is assigned to DMZZone (2), and one interface is assigned to InternalZone (3).
• Gateway (5) has two interfaces. One interface is assigned to ExternalZone (1) and one interface is assigned to InternalZone (3).

A Security Gateway interface can belong to only one Security Zone. Interfaces to different networks can be in the same Security Zone.

Workflow

1. Define Security Zone objects. Or, use the predefined Security Zones.
2. Assign Gateway interfaces to Security Zones.
3. Use the Security Zone objects in the Source and Destination of a rule. For example:

   Source	Destination	VPN	Service	Action
   InternalZone	ExternalZone	Any Traffic	Any	Accept

4. Install the Access Control Policy.

Creating and Assigning Security Zones

Before you can use Security Zones in the Rule Base, you must assign Gateway interfaces to Security Zones.

To create a Security Zone:

1. In the Objects bar (F11), click New > More > Network Object > Security Zone.

   The Security Zone window opens.

2. Enter a name for the Security Zone.
3. Enter an optional comment or tag.
4. Click OK.

To assign an interface to a Security Zone

1. In the Gateways & Servers view, right-click a Security Gateway object and select Edit.

   The Gateway Properties window opens.

2. In the Network Management pane, right-click an interface and select Edit.

   The Interface window opens. The Topology area of the General pane shows the Security Zone to which the interface is already bound. By default, the Security Zone is calculated according to where the interface Leads To.

3. Click Modify.

   The Topology Settings window opens.

4. In the Security Zone area, click User Defined and select Specify Security Zone.
5. From the drop-down box, select a Security Zone.

   Or click New to create a new one.

6. Click OK.

Predefined Security Zones

These are the predefined security zones, and their intended purposes:

• WirelessZone - Networks that can be accessed by users and applications with a wireless connection.
• ExternalZone - Networks that are not secure, such as the Internet and other external networks.
• DMZZone - A DMZ (demilitarized zone) is sometimes referred to as a perimeter network. It contains company servers that can be accessed from external sources.

  A DMZ lets external users and applications access specific internal servers, but prevents the external users accessing secure company networks. Add rules to the firewall Rule Base that allow traffic to the company DMZ. For example, a rule that allows HTTP and HTTPs traffic to your web server in the DMZ.

• InternalZone - Company networks with sensitive data that must be protected and used only by authenticated users.

Externally Managed Gateways/Hosts

An Externally Managed Security Gateway or a Host is a gateway or a Host which has Check Point software installed on it. This Externally Managed gateway is managed by an external Security Management Server. While it does not receive the Check Point Security Policy, it can participate in Check Point VPN communities and solutions.

Interoperable Devices

An Interoperable Device is a device that has no Check Point Software Blades installed. The Interoperable Device:

• Cannot have a policy installed on it
• Can participate in Check Point VPN communities and solutions.

VoIP Domains

There are five types of VoIP Domain objects:

• VoIP Domain SIP Proxy
• VoIP Domain H.323 Gatekeeper
• VoIP Domain H.323 Gateway
• VoIP Domain MGCP Call Agent
• VoIP Domain SCCP CallManager

In many VoIP networks, the control signals follow a different route through the network than the media. This is the case when the call is managed by a signal routing device. Signal routing is done in SIP by the Redirect Server, Registrar, and/or Proxy. In SIP, signal routing is done by the Gatekeeper and/or gateway.

Enforcing signal routing locations is an important aspect of VoIP security. It is possible to specify the endpoints that the signal routing device is allowed to manage. This set of locations is called a VoIP Domain. For more information refer to the R80.30 VoIP Administration Guide.

Logical Servers

A Logical Server is a group of machines that provides the same services. The workload of this group is distributed between all its members.

When a Server group is stipulated in the Servers group field, the client is bound to this physical server. In Persistent server mode the client and the physical server are bound for the duration of the session.

• Persistency by Service — once a client is connected to a physical server for a specified service, subsequent connection to the same Logical Server and the same service will be redirected to the same physical server for the duration of the session.
• Persistency by Server — once a client is connected to a physical server, subsequent connections to the same Logical Server (for any service) will be redirected to the same physical server for the duration of the session.

Balance Method

The load balancing algorithm stipulates how the traffic is balanced between the servers. There are several types of balancing methods:

• Server Load — The Security Gateway determines which Security Management Server is best equipped to handle the new connection.
• Round Trip Time — On the basis of the shortest round trip time between Security Gateway and the servers, executed by a simple ping, the Security Gateway determines which Security Management Server is best equipped to handle the new connection.
• Round Robin — the new connection is assigned to the first available server.
• Random — the new connection is assigned to a server at random.
• Domain — the new connection is assigned to a server based on domain names.

Open Security Extension (OSE) Devices

The Open Security Extension features let you manage third-party devices with the Check Point SmartConsole. The number of managed devices, both hardware and software packets, depends on your license. OSE devices commonly include hardware security devices for routing or dedicated Network Address Translation and Authentication appliances. Security devices are managed in the Security Policy as Embedded Devices.

The Security Management Server generates Access Lists from the Security Policy and downloads them to selected routers and open security device. Check Point supports these devices:

OSE Device	Supported Versions
Cisco Systems	9.x, 10.x, 11.x, 12.x

The Check Point Rule Base must not have these objects. If it does, the Security Management Server will not generate Access Lists.

• Drop (in the Action column)
• Encrypt (Action)
• Alert (Action)
• RPC (Service)
• ACE (Service)
• Authentication Rules
• Negate Cell

Defining OSE Device Interfaces

OSE devices report their network interfaces and setup at boot time. Each OSE device has a different command to list its configuration. You must define at least one interface for each device, or Install Policy will fail.

To define an OSE Device:

1. From the Object Explorer, click New > More.
2. Click Network Object > More > OSE Device.
3. Enter the general properties.

   We recommend that you also add the OSE device to the host lists on other servers: hosts (Linus) and lmhosts (Windows).

4. Open the Topology tab and add the interfaces of the device.

   You can enable Anti-Spoofing on the external interfaces of the device. Double-click the interface. In the Interface Properties window > Topology tab, select External and Perform Anti-Spoofing.

5. Open the Setup tab and define the OSE device and its administrator credentials.

OSE Device Properties Window — General Tab

• Name — The name of the OSE device, as it appears in the system database on the server.
• IP Address — The device's IP address.
• Get Address — Click this button to resolve the name to an address.
• Comment — Text to show on the bottom of the Network Object window when this object is selected.
• Color — Select a color from the drop-down list. The OSE device will be represented in the selected color in SmartConsole, for easier tracking and management.
• Type — Select from the list of supported vendors.

Anti-Spoofing Parameters and OSE Devices Setup (Cisco)

For Cisco (Version 10.x and higher) devices, you must specify the direction of the filter rules generated from anti-spoofing parameters. The direction of enforcement is specified in the Setup tab of each router.

For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface Direction property.

Access List No — The number of Cisco access lists enforced. Cisco routers Version 12x and below support an ACL number range from 101-200. Cisco routers Version 12x and above support an ACL range number from 101-200 and also an ACL number range from 2000-2699. Inputting this ACL number range enables the support of more interfaces.

For each credential, select an option:

• None — Credential is not needed.
• Known — The administrator must enter the credentials.
• Prompt — The administrator will be prompted for the credentials.

Username — The name required to logon to the OSE device.

Password — The Administrator password (Read only) as defined on the router.

Enable Username — The user name required to install Access Lists.

Enable Password — The password required to install Access Lists.

Version — The Cisco OSE device version (9.x, 10.x, 11.x, 12.x).

OSE Device Interface Direction — Installed rules are enforced on data packets traveling in this direction on all interfaces.

Spoof Rules Interface Direction — The spoof tracking rules are enforced on data packets traveling in this direction on all interfaces.