Using Dynamic Objects

In This Section:

Understanding Dynamic Objects

Dynamic Objects are logical objects whose values, IP addresses or ranges, are resolved differently per gateway. This enables you to create rules, Security Policies, and SmartProvisioning SmartLSM Security Profiles that are can be re-used for numerous gateways.

Dynamic Objects are defined in SmartConsole and referenced in Security Policies, NAT tables, and profiles. Some Dynamic Objects are provided by default.

Dynamic Objects let you:

Create a VPN tunnel between CO gateways and SmartLSM Security Gateways.
Represent generic servers that exist in remote sites and easily manage numerous remote servers from a central control.
Install Security Policy rules with Dynamic Objects on SmartLSM Security Profiles, which automatically localize a generic rule for each gateway.

Dynamic Object Types

There are different types of Dynamic Objects, differentiated by how they are resolved.

Automatically Resolved: Created by default when you create a new SmartLSM Security Gateway object. Auto-Resolved Dynamic Objects are replaced with their values when the gateway loads an updated profile from the Security Management Server or Domain Management Server. You cannot edit these Dynamic Objects. See table below.
Centrally Resolved: A Dynamic Object is created in SmartConsole. For each SmartLSM Security Gateway, you define the IP address or range to which the Dynamic Object is resolved.

Auto Resolved Dynamic Objects

Default Dynamic Object	Resolves to:
AuxiliaryNet	IP address range, based on the IP address and net mask of the interface configured as the Auxiliary network for the SmartLSM Security Gateway
DMZNet	IP address range, based on the IP address and net mask of the interface configured as the DMZ network for the SmartLSM Security Gateway
InternalNet	IP address range, based on the IP address and net mask of the LAN behind the SmartLSM Security Gateway configured as the Internal network
LocalMachine	External IP address of the SmartLSM Security Gateway, based on the IP address of the interface marked External
LocalMachine_All_Interfaces	DAIP machine interfaces, both static and dynamic

Dynamic Object Values

Dynamic Objects resolve to actual IP address or IP address ranges. They are automatically resolved when a gateway fetches a SmartLSM Security Policy from the Security Management Server or Domain Management Server.

You can also actively push the values of Dynamic Objects, and make sure that new values take effect immediately. To push Dynamic Object values, select Actions > Push Dynamic Objects.

When a SmartLSM Security Gateway fetches its SmartLSM Security Profile, automatically or by push, the SmartLSM Security Policy is localized for each gateway. Localization is performed in this order:

Anti-Spoofing and Encryption-Domain information are automatically calculated.
Dynamic Objects are resolved, in the Automatic-Central-Local order.
Relevant gateways are updated with Provisioning Profiles.
The relevant Check Point Security Policy is installed or updated on SmartLSM Security Gateways.

Using Dynamic Objects

To use Dynamic Objects:

In SmartConsole, create the Dynamic Objects, the Security Policy that uses the Dynamic Objects, and the LSM Profile.
Install the Security Policy on the Security Profile.
In SmartProvisioning, add an SmartLSM Security Gateway. Assign the SmartLSM Security Profile to the Security Gateway.
Configure the gateway's Dynamic Object list to include and resolve the Dynamic Objects of the Security Policy.

User-Defined Dynamic Objects

Creating User-Defined Dynamic Objects

To create centrally and locally resolved Dynamic Objects:

In SmartConsole, go to Objects > Network Objects > Dynamic Objects > New Dynamic Object.
Provide the relevant information and click OK.

Configuring User-Defined Dynamic Object Values

If a fetched SmartLSM Security Policy includes Dynamic Objects for which you did not configure values, the firewall drops all packets that match any rules with these Unresolved Dynamic Objects. Therefore, you must define all Centrally Resolved Dynamic Objects, and verify that local administrators in remote and branch offices define the values for Locally Resolved Dynamic Objects.

After you create a Dynamic Object in SmartConsole, you can add it to a SmartLSM Security Gateway. Provide the exact IP address or range to which SmartProvisioning will resolve the Dynamic Object.

Note - The Dynamic Objects tab on the gateway has an Add button. With the Add button, you cannot create new Dynamic Objects. The Add button lets you add a new resolve-to value to an already defined Dynamic Object for the selected SmartLSM Security Gateway. If you click Add and already resolved all defined Dynamic Objects, this message shows: All defined Dynamic Objects are already resolved. Use the Check Point SmartConsole in order to add more Dynamic Objects

To specify the resolution value of a user-defined Dynamic Object:

Double-click a SmartLSM Security Gateway.
In the Gateway window, select the Dynamic Objects tab.
Click Add.
From the Name drop-down list, select the Dynamic Object, as defined in SmartConsole.
The Comments field displays the comments provided by the Dynamic Object creator.
Select the relevant type of value:
- IP Address: If there is one IP address for the Dynamic Object value, select this option and provide the address.
- IP Address Range: If there is a range for the Dynamic Object value, select this option and provide the first and last IP addresses of this range.
Click OK.
The Dynamic Object name is added to the Resolved Dynamic Objects table. If the value is a single IP address, this address is listed in the First IP column.

Dynamic Object Examples

These examples show how to create a Security Policy in SmartConsole that uses Dynamic Objects. After you create the Rule Base, install the Security Policy on the SmartLSM Security Profile.

The Dynamic Objects are localized and resolved to the real IP addresses of each gateway assigned to the SmartLSM Security Profile. Therefore, for each gateway of a profile on which the Security Policy with the Dynamic Objects is installed, make sure that the gateway has these Dynamic Objects configured with real IP addresses and net masks.

Note - The value of the LocalMachine Dynamic Object is resolved to the external IP address of the SmartLSM Security Gateway.

Hiding an Internal Network

This example uses the InternalNet and LocalMachine default Dynamic Objects to create a rule in a Security Policy that can be applied to any SmartLSM Security Profile object, and therefore, to any number of gateways. This rule hides the internal network behind the external IP address of the SmartLSM Security Gateway.

Example — NAT Hide

Source	Destination	Service	Source	Destination	Service
InternalNet	Any	Any	LocalMachine(H)	Any	Any

Defining Static NAT for Multiple Networks

This example uses Dynamic Objects that you can define for yourself, based on the needs of your organization and the requirements for the SmartLSM Security Gateways. This rule configures static NAT on all incoming HTTP traffic going to a published IP address (the IP address is represented by a Dynamic Object called PublishedIP), as if it were going to a Web server (represented by a Dynamic Object called WebServer).

Example — Static NAT

Source	Destination	Service
Any	PublishedIP	HTTP
Any	WebServer	HTTP

Securing LAN-DMZ Traffic

This example uses the InternalNet and DMZNet default Dynamic Objects to secure traffic between a gateway's internal LAN and its DMZ. This example shows that when you create rules with Dynamic Objects, you must make sure to install them on the relevant SmartLSM Security Profile, the profile for which all its gateways have these Dynamic Objects configured.

LAN Rules

Source	Destination	VPN	Service	Action	Log	Install On
InternalNet	DMZNet	*Any Traffic	Any	Accept	None	Profile1

Allowing Gateway Ping

This example shows a rule that allows external hosts to ping the external IP address of a SmartLSM Security Gateway. It is installed on multiple profiles, which lets this rule be a part of numerous gateways.

External Hosts Rules

Source	Destination	VPN	Service	Action	Log	Install On
Any	LocalMachine	*Any Traffic	ICMP echo- request	Accept	None	Profile1 LSMProfile1

Source

Destination

VPN

Service

Action

Log

Install On

Any

LocalMachine

*Any Traffic

ICMP echo- request

None

Profile1

LSMProfile1

Tunneling Part of a LAN

This example uses a centrally resolved Dynamic Object to hold an IP address range that represents part of an internal LAN behind a SmartLSM Security Gateway. The complete range is 192.0.2.1 - 192.0.2.255. You want only 192.0.2.1 - 192.0.2.128 of this LAN to be in a VPN tunnel with the CO gateway.

In SmartConsole:

Create a Dynamic Object called Safe_Internal.
Add this object to the VPN community (called MyComm in this example) that includes the IP addresses of the CO gateway (MyCO) and its VPN domain (CO_VPN).
Create a SmartLSM Security Profile object called MyProfile.
Create a Security Policy with these rules.

VPN with Range

Source	Destination	VPN	Service	Action	Install On
Any	LocalMachine	MyComm	ftp telnet	Accept	MyCO
Safe_Internal	CO_VPN	MyComm	ftp telnet	Accept	MyProfile
CO_VPN	Safe_Internal	MyComm	ftp telnet	Accept	MyProfile

Source

Destination

VPN

Service

Action

Install On

Any

LocalMachine

MyComm

ftp

telnet

MyCO

Safe_Internal

CO_VPN

MyComm

ftp

telnet

MyProfile

CO_VPN

Safe_Internal

MyComm

ftp

telnet

MyProfile

In SmartProvisioning:

Make sure the SmartLSM Security Gateway with the internal LAN is assigned to MyProfile.
Add Safe_Internal to the Dynamic Objects list of this gateway.
Configure the IP address range of Safe_Internal to the safe range of the LAN: 192.0.2.1 - 192.0.2.128.
Push the Dynamic Objects and then the policy to the SmartLSM Security Gateway.