I use a dynamic object which contains blocklist address blocks to block all traffic from ip ranges known to be a danger, this is a more scalible solution than StormCenter. A dynamic object is a "logical" object that will be resolved to an IP address differently on each VPN-1/FireWall-1 Module using the dynamic_objects command. A rule that uses this object will then be enforced on each VPN-1/FireWall-1 Module on different objects.
In this example on each firewall that this command is executed on, bigserver is created as a dynamic object and will have an ip address range of 190.160.1.1 to 190.160.1.40 # dynamic_objects -n bigserver -r 190.160.1.1 190.160.1.40 -a (creates a new dynamic object named "bigserver" and adds to it the IP address range 190.160.1.1-190.160.1.40) The command: dynamic_objects -o bigserver -r 190.160.1.1 190.160.1.40 -a adds the IP address range 190.160.1.1-190.160.1.40 to the previously created dynamic object "bigserver". The command dynamic_objects -o bigserver -r 190.160.1.1 190.160.1.40 -d deletes the IP address range 190.160.1.1-190.160.1.40 from the dynamic object "bigserver" ________________________________ From: Mailing list for discussion of Firewall-1 on behalf of Delava Alain Sent: Thu 09/02/2006 10:10 To: [email protected] Subject: [FW-1] NGX, dynamic object resolution problem Hello there, I have an NGX cluster (R60 HFA2 on SPLAT) in active/active load sharing with ClusterXL and my problem is the following: When trying to use dynamic objects (such as "microsoft.com" or "www.google.com" for example), an 'accept & log' rule does not work. I have found that an error message appears in the Tracker each time I want to use the rule (i.e. when I initiate a connection through the fw) : [!] origin : FWCLUNODE1 product : vpn-1 pro/express interface : daemon type : alert information : "reason: failed to resolve dynamic object: 257" I have therefore checked the my two cluster nodes (as well as the smart centre) can resolve DNS names, which is the case (nslookup in expert mode works well). But a tcpdump on both nodes while attempting to connect (--> triggering the "use" of the rule with a dynamic object) does not show anything ; i.e. it is as if the enforcement module cluster nodes do not issue a DNS query at all. [Nevertheless I don't know if CP's behaviour is really to make a DNS query each time you use a rule with a dyn obj]. I've not found anything about this error message in the Secure Knowledge... Can anyone help on this issue? Thanks -- Alain ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
