Dynamic Objects
Dynamic Objects are logical objects whose values, IP addresses or ranges, are resolved differently per gateway. This enables you to create rules, Security Policies
Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., and SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. SmartLSM Security Profiles that are can be re-used for numerous gateways.
Dynamic Objects are defined in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and referenced in Security Policies, NAT tables, and profiles. Some Dynamic Objects are provided by default.
Dynamic Objects let you:
-
Create a VPN tunnel between CO gateways and SmartLSM Security Gateways.
-
Represent generic servers that exist in remote sites and easily manage numerous remote servers from a central control.
-
Install Security Policy rules with Dynamic Objects on SmartLSM Security Profiles, which automatically localize a generic rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for each gateway.
Dynamic Object Types
There are different types of Dynamic Objects, differentiated by how they are resolved.
-
Automatically Resolved: Created by default when you create a new SmartLSM Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. Auto-Resolved Dynamic Objects are replaced with their values when the gateway loads an updated profile from the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. You cannot edit these Dynamic Objects.See table
Default Dynamic Object
Resolves to:
AuxiliaryNet
IP address range, based on the IP address and net mask of the interface configured as the Auxiliary network for the SmartLSM Security Gateway
DMZNet
IP address range, based on the IP address and net mask of the interface configured as the DMZ network for the SmartLSM Security Gateway
InternalNet
IP address range, based on the IP address and net mask of the LAN behind the SmartLSM Security Gateway configured as the Internal network
LocalMachine
External IP address of the SmartLSM Security Gateway, based on the IP address of the interface marked External
LocalMachine_All_Interfaces
DAIP machine interfaces, both static and dynamic
-
Centrally Resolved: A Dynamic Object
Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time. is created in SmartConsole. For each SmartLSM Security Gateway, you define the IP address or range to which the Dynamic Object is resolved.
Dynamic Object Values
Dynamic Objects resolve to actual IP address or IP address ranges. They are automatically resolved when a gateway fetches a SmartLSM Security Policy from the Security Management Server or Domain Management Server.
You can also actively push the values of Dynamic Objects, and make sure that new values take effect immediately. To push Dynamic Object values, select Actions > Push Dynamic Objects.
When a SmartLSM Security Gateway fetches its SmartLSM Security Profile, automatically or by push, the SmartLSM Security Policy is localized for each gateway. Localization is performed in this order:
-
Anti-Spoofing and Encryption-Domain information are automatically calculated.
-
Dynamic Objects are resolved, in the Automatic-Central-Local order.
-
Relevant gateways are updated with Provisioning
Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Profiles. -
The relevant Check Point Security Policy is installed or updated on SmartLSM Security Gateways.
Dynamic Objects Using
-
In SmartConsole, create the Dynamic Objects, the Security Policy that uses the Dynamic Objects, and the LSM Profile.
-
Install the Security Policy on the Security Profile.
-
In SmartProvisioning, add an SmartLSM Security Gateway. Assign the SmartLSM Security Profile to the Security Gateway.
-
Configure the gateway's Dynamic Object list to include and resolve the Dynamic Objects of the Security Policy.
Dynamic Object Examples
These examples show how to create a Security Policy in SmartConsole that uses Dynamic Objects. After you create the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., install the Security Policy on the SmartLSM Security Profile.
The Dynamic Objects are localized and resolved to the real IP addresses of each gateway assigned to the SmartLSM Security Profile. Therefore, for each gateway of a profile on which the Security Policy with the Dynamic Objects is installed, make sure that the gateway has these Dynamic Objects configured with real IP addresses and net masks.
|
|
Note - The value of the LocalMachine Dynamic Object is resolved to the external IP address of the SmartLSM Security Gateway. |
Hiding an Internal Network
This example uses the InternalNet and LocalMachine default Dynamic Objects to create a rule in a Security Policy that can be applied to any SmartLSM Security Profile object, and therefore, to any number of gateways. This rule hides the internal network behind the external IP address of the SmartLSM Security Gateway.
Example - NAT Hide
Defining Static NAT for Multiple Networks
This example uses Dynamic Objects that you can define for yourself, based on the needs of your organization and the requirements for the SmartLSM Security Gateways. This rule configures static NAT on all incoming HTTP traffic going to a published IP address (the IP address is represented by a Dynamic Object called PublishedIP), as if it were going to a Web server (represented by a Dynamic Object called WebServer).
Example - Static NAT
|
Source |
Destination |
Service |
|---|---|---|
|
Any |
PublishedIP |
HTTP |
|
Any |
WebServer |
HTTP |
Securing LAN-DMZ Traffic
This example uses the InternalNet and DMZNet default Dynamic Objects to secure traffic between a gateway's internal LAN and its DMZ. This example shows that when you create rules with Dynamic Objects, you must make sure to install them on the relevant SmartLSM Security Profile, the profile for which all its gateways have these Dynamic Objects configured.
LAN Rules
Allowing Gateway Ping
This example shows a rule that allows external hosts to ping the external IP address of a SmartLSM Security Gateway.
It is installed on multiple profiles, which lets this rule be a part of numerous gateways.
External Hosts Rules
Tunneling Part of a LAN
This example uses a centrally resolved Dynamic Object to hold an IP address range that represents part of an internal LAN behind a SmartLSM Security Gateway.
The complete range is 192.0.2.1 - 192.0.2.255.
You want only 192.0.2.1 - 192.0.2.128 of this LAN to be in a VPN tunnel with the CO Security Gateway.
In SmartConsole:
-
Create a Dynamic Object called Safe_Internal.
-
Add this object to the VPN community (called MyComm in this example) that includes the IP addresses of the CO Security Gateway (MyCO) and its VPN domain (CO_VPN).
-
Create a SmartLSM Security Profile object called MyProfile.
-
Create a Security Policy with these rules.
In SmartProvisioning:
-
Make sure the SmartLSM Security Gateway with the internal LAN is assigned to MyProfile.
-
Add Safe_Internal to the Dynamic Objects list of this gateway.
-
Configure the IP address range of Safe_Internal to the safe range of the LAN: 192.0.2.1 - 192.0.2.128.
-
Push the Dynamic Objects and then the policy to the SmartLSM Security Gateway.