Network Objects and Groups

Starting from R81.10.15, the Users & Objects view > Network Resources section > Network Objects is a unified objects and groups page to create and manage network objects and groups. This replaces the separate Managing Network Objects and Managing Network Object Groups pages used in version R81.10.10 and lower.

On this page you can add, edit, and delete network objects and groups.

Important - You can create a maximum of 1000 objects in total. For example, 500 host objects, 300 network objects, and 200 Domain Name objects.

For each object or group, the columns in the table display the name, type, information (for example, IP address or range of an object) and starting from R81.10.05, where it is used, for example the specific rules in the Access Policy.

Note - Starting in version R81.10.17, the "Where in use" feature is turned off by default.

To enable this feature, go to Advanced Settings > WebUI settings and customizations - Enable where in use and change the value to true.

Use the Search field at the upper right corner of the page to search for an object. The table display highlights the group in which the object is found.

For each group, when you hover over one of the objects within the group, you can see specific information about the object such as its type, IP addresses and in which group it is used.

The most common use for network objects is to define a security policy and exceptions to it. These objects can be used as hosts for the internal DNS service and their IP addresses can be configured as fixed for the internal DHCP service.

You can make a new access policy rule in the Access PolicyFirewall > Policy page and use one of the network objects or groups as the source or destination. The Manual Rules table on the Access Policy page displays the objects in the relevant rule. The Where Used column in the Network Objects table shows also displays the access policy rule you just created.

To create a new network object on the Network Objects page:

  1. Click New and select Network Object.

  2. In the New Network Object window, select Type:

    • Single IP - Represents a device with a single IP address (host object). Select or clear these options as necessary:

      • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks, the name of the server / network object is translated to its IP address.

      • Exclude from DHCP service - The internal DHCP service does not distribute the configured IP address of this server / network object to anyone.

      • Reserve IP address for DHCP service for MAC - The internal DHCP service distributes the configured IP address only to this server / network object based on its MAC address.

      • Enter the MAC address - This is required for IP reservation. When you create the object from the Assets page, the MAC address is detected automatically.

    • IP Range - Represents a range of IP addresses. Enter the Start IP and End IP. Select or clear this option as necessary:

      Exclude from DHCP service - The internal DHCP service does not distribute the configured IP range to anyone.

    • Device - Enter the MAC address. Optional: Select Bypass host with this MAC by SSL Inspection.

      If you select to Use custom hardware name, enter the Device type, Hardware, and Operating system

  3. Enter the Name and IP address.

  4. Depending on the object type, you may need to configure additional fields.

  5. Click Save.

To create a new Network Object Group on the Network Objects page:

  1. Click New and select Network Object Group.

  2. In the New Network Object Group window, enter a Name for the group.

  3. Optional: Add a comment.

  4. Select existing objects to add to this group or click New to create a new object.

  5. Click Save.

To use an object in an Access Policy rule:

  1. In WebUI, click the Access Policy view > Firewall section > Policy page.

  2. Add a new rule or edit an existing rule.

  3. In the Source column or the Destination column, select the object.

  4. Configure other columns in this rule.

  5. Click Save.

In Centrally Managed appliances, objects are created in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Creating and managing network objects in the appliance WebUI is supported for interfaces and other networking services which are not configurable in SmartConsole.

Creating a Security Gateway object in SmartConsole

  1. Log in to SmartConsole.

  2. In the Gateways & Servers view, on the top toolbar select NewGateway.

  3. Click Wizard Mode.

  4. On the General Properties page:

    1. In the Gateway name field, enter the desired name for this Security GatewayClosed A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

    2. In the Gateway platform field, select the correct model of your Quantum Spark appliance

    3. In the Version field, select (if the field allows) the correct version family on your Quantum Spark appliance

    4. In the Platform Type field, select (if the field allows) the correct model type of your Quantum Spark appliance

    5. In the Gateway IP address section, select the applicable option (for a Static IP address, configure the IPv4 address of the WAN interface).

    6. Click Next.

  5. On the Trusted Communication page:

    1. Select the application options and configure the one-time password.

      You enter this one-time password later in the WebUI of the Quantum Spark appliance.

      If you selected to initialize the trusted communication in the real time, then the Certificate state field must show "Trust established".

    2. Click Next.

  6. On the Blade Activation page:

    1. Select the required Software Blades.

    2. Click Next.

  7. On the Blade Configuration page:

    1. Configure the required settings.

    2. Click Next.

  8. On the Installation Wizard Completion page:

    1. Review the configuration summary.

      If you select Edit gateway properties for further configuration, then after the Wizard creates the Security Gateway, it opens the object for further configuration.

    2. Click Finish.

  9. On your Quantum Spark Appliance, connect to the Management ServerClosed A Check Point Security Management Server or a Multi-Domain Security Management Server..

  10. In SmartConsole, open this Security Gateway object.

  11. On the Topology page:

    1. In the Security Blades section, select the applicable option.

    2. In the Topology Table, you can get the interface settings from the Quantum Spark Appliance and override the interface settings.

  12. On the General Properties page, enable and configure the required Software Blades.

  13. Configure the other required settings in this Security Gateway object.

  14. Click OK.

  15. Configure the required Access Control Policy and Threat Prevention Policy.

  16. Install the Access Control Policy and Threat Prevention Policy on the Security Gateway object.

  1. Log in to SmartConsole.

  2. In the Gateways & Servers view, on the top toolbar select NewGateway.

  3. Click Classic Mode.

  4. Starting from R82, this popup appears:

    Threat Prevention blades are now active by default. To see the active blades, refer to General > Threat Prevention tab or sk182108.

    Click OK.

  5. In the Name field, enter the desired object name.

    In the IPv4 Address field, enter the IP address of the WAN interface.

  6. In the Secure Internal Communication section, click the Communication button.

  7. In the Platform field, select Small Office Appliance.

  8. Select the application options and configure the one-time password

    You enter this one-time password later in the WebUI of the Quantum Spark Appliance.

    If you selected to initialize the trusted communication in the real time, then the Certificate state field must show "Trust established."

  9. If in Step 8 you initialized the trusted communication in real time, then the fields Hardware, Version, and Type are populated automatically.

    If in Step 8 you did not initialize the trusted communication in real time, then in the fields Hardware, Version, and Type you must select the correct values for your Quantum Spark Appliance.

  10. If in Step 8 you did not initialize the trusted communication in real time, then:

    1. Click OK in this Security Gateway Gateway object.

    2. Publish the session in SmartConsole.

    3. On your Quantum Spark Appliance, connect to the Management Server.

  11. In SmartConsole, open this Security Gateway object.

  12. Configure the other required settings in this Security Gateway object.

  13. On the Topology page:

    1. In the Security Blades section, select the applicable option.

    2. In the Topology Table, you can get the interface settings from the Quantum Spark Appliance and override the interface settings.

  14. On the General Properties page, enable and configure the required Software Blades.

  15. Configure the other require settings in this Security Gateway object.

  16. Click OK.

  17. Configure the required Access Control Policy and Threat Prevention Policy.

  18. Install the Access Control Policy and Threat Prevention Policy on the Security Gateway object.

Creating a Cluster object in SmartConsole

  1. Log in to SmartConsole.

  2. In the Gateways & Servers view, on the top toolbar select NewCluster > Small Office Cluster.

  3. Click Classic Mode.

  4. Starting in R82, this popup appears:

    Threat Prevention blades are now active by default. To see the active blades, refer to General > Threat Prevention tab or sk182108.

    Click OK.

  5. On the General Properties page:

    1. In the Name field, enter the desired object name.

    2. In the IPv4 Address field, enter the ClusterClosed Two Quantum Spark Appliances connected to each other for High Availability. Virtual IPv4 address that is assigned to the WAN interface.

    3. In the Hardware field, select the correct model of your Quantum Spark appliances (both appliances must be the same model).

    4. In the Version field, select (if this field allows) the correct firmware family on your Quantum Spark appliances.

    5. In the Type field, select (if this field allows) the correct model type of your Quantum Spark appliances.

    6. Enable and configure the required Software Blades.

  6. On the Cluster Members page:

    1. Click Add > New Cluster Member.

    2. In the Name field, enter the desired object name:

      1. In the IPv4 Address field, enter the IPv4 address that is assigned to the WAN interface

      2. Optional: In the IPv6 Address field, enter the IPv6 address that is assigned to the WAN interface

      3. Click Communication.

    3. Enter a one-time password:

      1. Click Initialize.

      2. The Trust ‎state field must show "Trust established"‎.

      3. Click Close.

    4. Repeat the above steps to add the second Quantum Spark Cluster MemberClosed A Security Gateway that is part of a cluster..

  7. On the Topology page:‎

    1. In the Security Blades section, select the applicable option.

    2. In the Topology Table, click Edit Topology and configure the required settings - Network Object, Cluster Virtual IP addresses , Subnet masks, and Interface properties.

  8. Configure the other require settings in this Security Gateway object.

  9. Click OK.

  10. Configure the required Access Control Policy and Threat Prevention Policy.

  11. Install the Access Control Policy and Threat Prevention Policy on the cluster object.

Editing, Deleting and Filtering Network Objects

  1. Select a network object from the list.

  2. Click Edit.

  3. Make the necessary changes.

  4. Click Save.

  1. Select the network object from the list.

  2. Click Delete.

  3. Click Yes in the confirmation message.

  1. In the Type to filter box, enter the name of the network object or part of it.

  2. As you enter text, the list is filtered and shows matching results.