Managing Network Objects

The Users & Objects > Network Objects page lists the network objects defined in the system. In this page you can add, edit, and delete network objects.

The most common use for network objects is to define a security policy and exceptions to it. These objects can be used as hosts for the internal DNS service and their IP addresses can be configured as fixed for the internal DHCP service.

These are the available network object types:

  • Single IP - Represents a device with a single IP address.

  • IP Range - Represents a range of IP addresses.

  • Network - Represents a network.

  • Domain Name - Represents a Domain.

To create a Single IP network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select Single IP.

  3. Enter an IP address and Object name.

  4. Select or clear these options as necessary:

    • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks, the name of the server/network object is translated to its IP address.

      Exclude from DHCP service - The internal DHCP service does not distribute the configured IP address of this server/network object to anyone.

    • Reserve IP address in DHCP service for MAC - The internal DHCP service distributes the configured IP address only to this server/network object based on its MAC address.

    • Enter the MAC address - This is required for IP reservation. When you create the object from the Active Devices page, the MAC address is detected automatically.

  5. Click Apply.

To create an IP Range network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select IP Range.

  3. In the Start IP and End IP fields, enter the IP addresses that represent the start of the IP range and end of the IP range.

  4. Enter the Object name.

  5. Select or clear this option as necessary:

    Exclude from DHCP service - The internal DHCP service does not distribute the configured IP range to anyone.

  6. Click Apply.

Note - Wildcard network objects that represent a series of non-sequential IP addresses are supported.

To create a Network type network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select Network.

  3. Enter a Network address and Subnet mask.

  4. Enter the Object name.

To create a Domain Name type object:

  1. In SmartConsole, go to New > More > Network Object > More.

  2. Select Domain.

    The New Domain window opens.

  3. Optional: Enter Object Comment.

  4. Click OK.

To edit a network object:

  1. Select a network object from the list.

  2. Click Edit.

  3. Make the necessary changes.

  4. Click Apply.

To delete a network object:

  1. Select the network object from the list.

  2. Click Delete.

  3. Click Yes in the confirmation message.

To filter for a specified network object:

  1. In the Type to filter box, enter the name of the network object or part of it.

  2. As you enter text, the list is filtered and shows matching results.

Updatable Objects

An updatable object is a network object which represents an external service, such as Office 365, AWS, GEO locations and more. External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect.

These are the currently supported external services for updatable objects:

  • Online services - Office 365, Azure, Google, Okta, Zoom, Intune, Webex and AWS

  • GEO locations - The GEO database provides mapping of location data to IP addresses. For each location, there is a network object you can import to SmartConsole. You can block or allow access to and from specific locations based on their IP addresses.

  • For each country/continent, Check Point provides a Network Object that can be imported to SmartConsole.

  • Each country/continent object matches a list of IP addresses according to the external service (MaxMind) database.

  • These Objects are updated automatically on the gateway every time there is an update in the MaxMind database (no need to run policy installation).

  • When the source or destination IP address matches an object, the action is selected according to the policy.

Known Limitations:

  • Rules with updatable objects as a destination are ignored for HTTP/HTTPS traffic when an external proxy is used.

  • Updatable objects cannot be used in Threat Prevention policy.

  • Updatable objects cannot be used in HTTPS Inspection policy.

For more information on updatable objects, see sk131852.