dynamic_objects

Description

Manages dynamic objects and their applicable ranges of IP addresses on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members / Scalable Platform Security Group.

Important:

You can run this command only in the Expert mode.
In a Cluster, you must configure all the Cluster Members in the same way.
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Workflow

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.: Configure the applicable dynamic object. Install the Access Control Policy on the Security Gateway / ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. object.
2	On the Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Security Group, run the "`dynamic_objects`" command to: Create the applicable dynamic object with the same name Assign the applicable ranges of IP address to the new dynamic object.

Step

Instructions

1

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

Configure the applicable dynamic object.
Install the Access Control Policy on the Security Gateway / ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. object.

2

On the Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Security Group, run the "dynamic_objects" command to:

Create the applicable dynamic object with the same name
Assign the applicable ranges of IP address to the new dynamic object.

General syntax on a Security Gateway / Cluster Member in the Expert mode

dynamic_objects <Parameters>

General syntax on a Scalable Platform Security Group in the Expert mode

g_all dynamic_objects <Parameters>

Syntax for specific commands

To show all configured dynamic objects and their ranges of IP addresses:

dynamic_objects -l

To create a new dynamic object (and assign a range of IP addresses to it):

dynamic_objects -n <Object Name> [-r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>] -a]

To add a new a range of IP addresses to the specific existing dynamic object:

dynamic_objects -o <Object Name> -r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>] -a

To delete a range of IP addresses from the specific existing dynamic object:

dynamic_objects -o <Object Name> -r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>] -d

To update the specific existing dynamic object (and assign a different range of IP addresses to it):

dynamic_objects -u <Object Name> [-r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>]]

To compare the configured dynamic objects and objects configured in SmartConsole:

dynamic_objects -c

To delete the specific existing dynamic object (and all ranges of IP addresses assigned to it):

dynamic_objects -do <Object Name>

To delete all the existing dynamic objects (and all ranges of IP addresses assigned to them):

dynamic_objects -e

Parameters

Parameter

Description

<Object Name>

Specifies the name of the object:

As configured in SmartConsole
As configured with the "dynamic_objects -n <object name>" command

-r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>]

Specifies the ranges of IP addresses in the format of pairs:

<From_IP_Address> <To_IP_Address>

For example, to specify two ranges, from 192.168.2.30 to 192.168.2.40 and from 192.168.2.50 to 192.168.2.60, enter these four IP addresses:

192.168.2.30 192.168.2.40 192.168.2.50 192.168.2.60

-a

Adds the specified ranges of IP addresses to the specified dynamic object.

-c

Compare the dynamic objects in the dynamic objects database ($FWDIR/database/dynamic_objects.db) and in the $FWDIR/conf/objects.C file.

-d

Deletes range of IP addresses from the dynamic object.

-do

Deletes the specified dynamic object.

-e

Deletes all configured dynamic objects from the dynamic objects database ($FWDIR/database/dynamic_objects.db).

-l

Lists the configured dynamic objects in the dynamic objects database ($FWDIR/database/dynamic_objects.db).

-n

Creates a new dynamic object.

-u

Updates the specified dynamic object.

If you specify a range of IP addresses, then the new range replaces all current ranges that are currently assigned to this dynamic object.

Example 1 - Create a new dynamic object named "bigserver" and assign to it the range of IP addresses 192.168.2.30-192.168.2.40

Run either these two commands:

dynamic_objects -n bigserver

dynamic_objects -o bigserver -r 192.168.2.30 192.168.2.40 -a

Or this single command:

dynamic_objects -n bigserver -r 192.168.2.20 192.168.2.40 -a

Example 2 - Update the ranges of IP addresses assigned to the dynamic object named "bigserver" from the current range to the new range 192.168.2.60-192.168.2.80

dynamic_objects -u bigserver -r 192.168.2.60 192.168.2.80