Print Download PDF Send Feedback

Previous

Next

Managing Objects

In This Section:

Object Categories

Working with Objects

Object Tags

Network Object Types

Network Objects, defined in SmartConsole and stored in the proprietary Check Point object database, represent physical and virtual network components (such as gateways, servers, and users), and logical components (such as IP address ranges and Dynamic Objects). Before you create Network Objects, analyze the needs of your organization:

Object Categories

Objects in SmartConsole represent networks, devices, protocols and resources. SmartConsole divides objects into these categories:

Icon

Object Type

Examples

Network Objects

Gateways, hosts, networks, address ranges, dynamic objects, security zones

Services

Services, Service groups

Custom Apps Icon

Custom Applications/Sites

Applications, Categories, Mobile applications

VPN Communities

Site to Site or Remote Access communities

Users icon

Users

Users, user groups, and user templates

Data Types

International Bank Account Number - IBAN, HIPAA - Medical Record Number - MRN, Source Code.

Servers

Trusted Certificate Authorities, RADIUS, TACACS

Time Objects

Time, Time groups

UserCheck Interactions

Message windows: Ask, Cancel, Certificate Template, Inform, and Drop

Limit

Download and upload bandwidth

Working with Objects

You can add, edit, delete, and clone objects. A clone is a copy of the original object, with a different name. You can also replace one object in the Policy with another object.

Note - Do not create two objects with the same name. You will see a validation error when you try to publish. To resolve, change one of the object names.

To work with objects, right-click the object in the object tree or in the Object Explorer, and select the action.

You can delete objects that are not used, and you can find out where an object is used.

To clone an object:

  1. In the object tree or in the Object Explorer, right-click the object and select Clone.

    The Clone Object window opens.

  2. Enter a name for the cloned object.
  3. Click OK.

To find out where an object is used:

In the object tree or in the Object Explorer, right-click the object and select Where Used.

To replace an object with a different object:

  1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
  2. Click the Replace icon.
  3. From the Replace with list, select an item.
  4. Click Replace.

To delete all instances of an object:

  1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
  2. Click the Replace icon.
  3. From the Replace with list, select None (remove item).
  4. Click Replace.

Object Tags

Object tags are keywords or labels that you can assign to the network objects or groups of objects for search purposes. These are the types of tags you can assign:

Each tag has a name and a value. The value can be static, or dynamically filled by detection engines.

Adding a Tag to an Object

To add a tag to an object:

  1. Open the network object for editing.
  2. In the Add Tag field, enter the label to associate with this object.
  3. Press Enter.

    The new tag shows to the right of the Add Tag field.

  4. Click OK.

Network Object Types

In This Section:

Networks

Network Groups

Check Point Hosts

Gateway Cluster

Updatable Objects

Adding an Updatable Object to the Security Policy

More Network Object Types

Networks

A Network is a group of IP addresses defined by a network address and a net mask. The net mask indicates the size of the network.

A Broadcast IP address is an IP address which is destined for all hosts on the specified network. If this address is included, the Broadcast IP address will be considered as part of the network.

Network Groups

A network group is a collection of hosts, gateways, networks or other groups. Groups can be used to facilitate and simplify network management. When you have the same set of objects which you want to use in different places in the Rule Base, you can create a group to include such set of objects and reuse it. Modifications are applied to the group instead of to each member of the group.

Groups are also used where SmartConsole lets you select only one object, but you need to work with more than one. For example, in the gateway editor > Network Management > VPN Domain > Manually defined, you can only select on object from the drop-down menu. If you want to select more than one object for your VPN Domain, you can create a group, add the required objects to the group, and select the group from the drop-down menu.

Grouping Network Objects

To create a group of network objects:

  1. In the Objects tree, click New > Network Group.

    The New Network Group window opens.

  2. Enter a name for the group
  3. Set optional parameters:
    • Object comment
    • Color
    • Tag (as custom search criteria)
  4. For each network object you want to add, click the [+] sign and select it from the list that shows.
  5. Click OK.

From R80.20.M2, you can also associate groups to a network object directly from the object editor.

To associate groups to a network object:

  1. Open the object editor, and go to Groups in the navigation tree.
  2. For each group you want to add, click the [+] sign and select it from the list that shows.

Check Point Hosts

A Check Point Host can have multiple interfaces but no routing takes place. It is an endpoint that receives traffic for itself through its interfaces. (In comparison, a Security Gateway routes traffic between its multiple interfaces.) For example, if you have two unconnected networks that share a common Security Management Server and Log Server, configure the common server as a Check Point Host object.

A Check Point Host has one or more Software Blades installed. But if the Firewall blade is installed on the Check Point Host, it cannot function as a firewall. The Host requires SIC and other features provided by the actual firewall.

A Check Point Host has no routing mechanism, is not capable of IP forwarding, and cannot be used to implement Anti-spoofing. If the host must do any of these, convert it to be a Security Gateway.

The Security Management Server object is a Check Point Host.

Note - When you upgrade to R80.30 from R77.30 or earlier versions, Node objects are converted to Host objects.

Gateway Cluster

A gateway cluster is a group of Security Gateways with Cluster software installed: ClusterXL, or another Clustering solution. Clustered gateways add redundancy through High Availability or Load Sharing.

Updatable Objects

An updatable object is a network object which represents an external service, such as Office 365, AWS, GEO locations and more. External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect. You can use an updatable object in the Access Control policy as a source or a destination.

Note - This feature is only supported for R80.20 and above gateways.

Adding an Updatable Object to the Security Policy

A customer uses Office365 and wants to allow access to Microsoft Exchange services.

To add the Microsoft Exchange Updatable Object to the Security Gateway:

  1. Make sure the Security Management Server and the Security Gateway have access to the Check Point cloud.
  2. Go to SmartConsole > Security Policies > Access Control > Policy.
  3. Create a new rule.
  4. In the Destination column, click the + sign and select Import > Updatable Objects.

    The Updatable Objects window opens.

  5. Select the objects to add. For this use case, select the Exchange Services object.

    Note - You can also add objects to the Source column.

  6. Click OK.
  7. Install policy.

The Exchange Services object is added to the Rule Base.

No

Name

Source

Destination

VPN

Services & Applications

Action

Track

1

Accept Exchange

WirelessZone

Exchange Services

Any

Any

Accept

Log

2

Accept Exchange

Exchange Services

WirelessZone

Any

Any

Accept

Log

You can monitor the updates in the Logs & Monitor Logs view.

To monitor the updates:

  1. Go to SmartConsole > Logs & Monitor.
  2. From the search bar, enter Updatable Objects.
  3. Double-click the relevant log.

    The Log Details window shows.

  4. Succeeded shows in the Status field when the update is successful.

More Network Object Types

Address Ranges

An address range is a range of IP addresses on the network, defined by the lowest and the highest IP addresses. Use an Address Range object when you cannot define a range of IP addresses by a network IP and a net mask. The Address Range objects are also necessary for the implementation of NAT and VPN.

Using Wildcard Objects

Wildcard objects let you define IP address objects that share a common pattern that can be permitted or denied access in a security policy.

Note - This feature is only supported for R80.20 and above gateways.

To create a new wildcard object:

  1. Open Object Explorer > New > More > Network Object > Wildcard object.
  2. Enter the Wildcard IP address and Wildcard Netmask in IPv4 or IPv6 Format.
  3. Click OK.
Understanding Wildcard Objects

The wildcard object contains a wildcard IP address and a wildcard netmask.

The wildcard netmask is the mask of bits that indicate which parts of the IP address must match and which do not have to match. For example:

Wildcard IP:

194.

29.

0.

1

Wildcard Netmask:

0.

0.

3.

0

The third octet represents the mask of bits. If we convert the 3 to binary, we get 00000011. The 0 parts of the mask must match the equivalent bits of the IP address. The 1 parts of the mask do not have to match, and can be any value.

0

0

0

0

0

0

1

1

Must match the equivalent bits in the IP address

Do not have to match

The binary netmask produces these possible decimal values:

128

64

32

16

8

4

2

1

 

 

 

 

 

 

 

 

Binary

 

 

Decimal

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

1

 

1

0

0

0

0

0

0

1

0

 

2

0

0

0

0

0

0

1

1

 

3

The netmask permits only these IP addresses:

Use Cases

Scenario One

A supermarket chain has all of its cash registers on subnet 194.29.x.1, where x defines the region. In this use case, all the cash registers in this region must have access to the database server at 194.30.1.1.

Instead of defining 256 hosts (194.29.0.1, 194.29.1.1, 194.29.2.1....194.29.255.1), the administrator creates a wildcard object that represents all the cash registers in the region:

Wildcard IP:

194.

29.

0.

1

Wildcard Mask:

0.

0.

255.

0

The wildcard object can now be added to the access control policy.

Source

Destination

Action

Track

Wildcard Object

Database server object

Accept

Log

Scenario Two

In this use case, a supermarket chain has stores in Europe and Asia.

The 192.30.0-255.1 network contains both the Asian and European regions, and the stores within those regions.

Item

Description

1

Database Server for Europe

2

Database Server for Asia

3

European and Asia network

The administrator wants stores in the European and Asia regions to access different database servers. In this topology, the third octet of the European and Asia network's IP address will be subject to a wildcard. The first four bits of the wildcard will represent the region and the last four bits will represent the store number.

Bits that represent the region

Bits that represent the store number

0000

0000

In the Wildcard IP:

In binary:

Binary

Decimal

Region

Store

 

0001

0000

16 - Asia Region

0010

0000

32 - European Region

To include all the stores of a particular region, the last four bits of the wildcard mask must be set to 1 (15 in Decimal):

Binary

Decimal

Region

Store

 

xxxx

1111

15 - all Asian stores

xxxx

1111

15 - all European stores

A wildcard object that represents all the Asian stores will look like this:

Wildcard IP address

192.30.16.1

(The region)

Wildcard netmask

0.0.15.0

(for stores in the region)

For this range of IP addresses: 192.30.16-31.1

A wildcard object that represents all the European stores will look like this:

Wildcard IP address

192.30.32.1

(the region)

Wildcard netmask

0.0.15.0

(for stores in the region)

For this range of IP addresses: 192.30.32-47.1

The administrator can now use these wildcard objects in the access control policy:

Source

Destination

Action

Track

Asian Stores Wildcard

Database Server for Asia

Accept

Log

European Stores Wildcard

Database Server for Europe

Accept

Log

Scenario Three

In this scenario, the netmask bits are not consecutive.

Wildcard IP

1

1

0

1

Wildcard mask

0

0

5

0

Wildcard IP

00000001.00000001.00000000.00000001

Wildcard Mask

00000000.00000000.00000101.00000000

Mask:

00

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

0

0

0

0

0

Which will match only these IP addresses:

IP Address

Binary

Comment

1.1.0.1

00000001.00000001.00000000.00000001

The IP address itself

1.1.1.1

00000001.00000001.00000001.00000001

The equivalent bit at position 23 does not matter

1.1.4.1

00000001.00000001.00000100.00000001

The equivalent bit at position 21 does not matter

1.1.5.1

00000001.00000001.00000101.00000001

The equivalent bits at positions 21 and 23 do not matter

IPv6

The same principles apply to IPv6 addresses. For example, if the wildcard object has these values:

IPv6 Address

2001::1:10:0:1:41

Wildcard netmask

0::ff:0:0

The wildcard will match: 2001::1:10:0-255:1:41

Domains

A Domain object lets you define a host or DNS domain by its name only. It is not necessary to have the IP address of the site.

You can use the Domain object in the source and destination columns of an Access Control Policy.

You can configure a Domain object in two ways:

Dynamic Objects

A dynamic object is a "logical" object where the IP address is resolved differently for each Security Gateway, using the dynamic_objects command.

For R80.10 Security Gateways and higher, dynamic objects support SecureXL Accept templates. Therefore, there is no performance impact on a rule that uses a dynamic object, or on rules that come after it.

Dynamic Objects are predefined for LocalMachine-all-interfaces. The DAIP computer interfaces (static and dynamic) are resolved into this object.

Security Zones

Security Zones let you to create a strong Access Control Policy that controls the traffic between parts of the network.

A Security Zone object represents a part of the network (for example, the internal network or the external network). You assign a network interface of a Security Gateway to a Security Zone. You can then use the Security Zone objects in the Source and Destination columns of the Rule Base.

Use Security Zones to:

For example, in the diagram, we have three Security Zones for a typical network: ExternalZone (1), DMZZone (2) and InternalZone (3).

A Security Gateway interface can belong to only one Security Zone. Interfaces to different networks can be in the same Security Zone.

Workflow

  1. Define Security Zone objects. Or, use the predefined Security Zones.
  2. Assign Gateway interfaces to Security Zones.
  3. Use the Security Zone objects in the Source and Destination of a rule. For example:

    Source

    Destination

    VPN

    Service

    Action

     

    InternalZone

    ExternalZone

    Any Traffic

    Any

    Accept

     

  4. Install the Access Control Policy.
Creating and Assigning Security Zones

Before you can use Security Zones in the Rule Base, you must assign Gateway interfaces to Security Zones.

To create a Security Zone:

  1. In the Objects bar (F11), click New > More > Network Object > Security Zone.

    The Security Zone window opens.

  2. Enter a name for the Security Zone.
  3. Enter an optional comment or tag.
  4. Click OK.

To assign an interface to a Security Zone

  1. In the Gateways & Servers view, right-click a Security Gateway object and select Edit.

    The Gateway Properties window opens.

  2. In the Network Management pane, right-click an interface and select Edit.

    The Interface window opens. The Topology area of the General pane shows the Security Zone to which the interface is already bound. By default, the Security Zone is calculated according to where the interface Leads To.

  3. Click Modify.

    The Topology Settings window opens.

  4. In the Security Zone area, click User Defined and select Specify Security Zone.
  5. From the drop-down box, select a Security Zone.

    Or click New to create a new one.

  6. Click OK.
Predefined Security Zones

These are the predefined security zones, and their intended purposes:

Externally Managed Gateways/Hosts

An Externally Managed Security Gateway or a Host is a gateway or a Host which has Check Point software installed on it. This Externally Managed gateway is managed by an external Security Management Server. While it does not receive the Check Point Security Policy, it can participate in Check Point VPN communities and solutions.

Interoperable Devices

An Interoperable Device is a device that has no Check Point Software Blades installed. The Interoperable Device:

VoIP Domains

There are five types of VoIP Domain objects:

In many VoIP networks, the control signals follow a different route through the network than the media. This is the case when the call is managed by a signal routing device. Signal routing is done in SIP by the Redirect Server, Registrar, and/or Proxy. In SIP, signal routing is done by the Gatekeeper and/or gateway.

Enforcing signal routing locations is an important aspect of VoIP security. It is possible to specify the endpoints that the signal routing device is allowed to manage. This set of locations is called a VoIP Domain. For more information refer to the R80.30 VoIP Administration Guide.

Logical Servers

A Logical Server is a group of machines that provides the same services. The workload of this group is distributed between all its members.

When a Server group is stipulated in the Servers group field, the client is bound to this physical server. In Persistent server mode the client and the physical server are bound for the duration of the session.

Balance Method

The load balancing algorithm stipulates how the traffic is balanced between the servers. There are several types of balancing methods:

Open Security Extension (OSE) Devices

The Open Security Extension features let you manage third-party devices with the Check Point SmartConsole. The number of managed devices, both hardware and software packets, depends on your license. OSE devices commonly include hardware security devices for routing or dedicated Network Address Translation and Authentication appliances. Security devices are managed in the Security Policy as Embedded Devices.

The Security Management Server generates Access Lists from the Security Policy and downloads them to selected routers and open security device. Check Point supports these devices:

OSE Device

Supported Versions

Cisco Systems

9.x, 10.x, 11.x, 12.x

The Check Point Rule Base must not have these objects. If it does, the Security Management Server will not generate Access Lists.

Defining OSE Device Interfaces

OSE devices report their network interfaces and setup at boot time. Each OSE device has a different command to list its configuration. You must define at least one interface for each device, or Install Policy will fail.

To define an OSE Device:

  1. From the Object Explorer, click New > More.
  2. Click Network Object > More > OSE Device.
  3. Enter the general properties.

    We recommend that you also add the OSE device to the host lists on other servers: hosts (Linus) and lmhosts (Windows).

  4. Open the Topology tab and add the interfaces of the device.

    You can enable Anti-Spoofing on the external interfaces of the device. Double-click the interface. In the Interface Properties window > Topology tab, select External and Perform Anti-Spoofing.

  5. Open the Setup tab and define the OSE device and its administrator credentials.
OSE Device Properties Window — General Tab
Anti-Spoofing Parameters and OSE Devices Setup (Cisco)

For Cisco (Version 10.x and higher) devices, you must specify the direction of the filter rules generated from anti-spoofing parameters. The direction of enforcement is specified in the Setup tab of each router.

For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface Direction property.

Access List No — The number of Cisco access lists enforced. Cisco routers Version 12x and below support an ACL number range from 101-200. Cisco routers Version 12x and above support an ACL range number from 101-200 and also an ACL number range from 2000-2699. Inputting this ACL number range enables the support of more interfaces.

For each credential, select an option:

Username — The name required to logon to the OSE device.

Password — The Administrator password (Read only) as defined on the router.

Enable Username — The user name required to install Access Lists.

Enable Password — The password required to install Access Lists.

Version — The Cisco OSE device version (9.x, 10.x, 11.x, 12.x).

OSE Device Interface Direction — Installed rules are enforced on data packets traveling in this direction on all interfaces.

Spoof Rules Interface Direction — The spoof tracking rules are enforced on data packets traveling in this direction on all interfaces.