Re: [FW-1] A question about dynamic objects

Wed, 14 Dec 2011 09:28:30 -0800 

You can use dynamic objects, it will work on all platforms, not just edge. Just 
place it in the rulebase (towards the end is the better) and then use a script 
that runs from cron (for example) on the gateway that updates the dynamic 
object group on the fly with the resolved IP's or IP ranges you want in there.

E.g: In Dashboard create 2 new dynamic objects. One called Dyn_EXT the other 
called Dyn_Int, create services and action (drop/accept w/e). Push the policy 
to the gateway. 

Now, on the gateway you need to create these two group objects with the 
dynamic_objects command.
I create the group plus add a range within one command as below:
dynamic_objects -n Dyn_EXT -r 1.1.1.1 1.1.1.10 -a
dynamic_objects -n Dyn_INT -r 2.2.2.1 2.2.2.10 -a

You should get "Operation Completed Successfully" message. At this point you 
can list the dynamic groups and the contents with "dynamic_objects -l". Verify 
the proper ranges. Now you are all set, whatever IP's or ranges you add into 
these objects, the rule created within dashboard will take effect. I use this 
to update some IP's on the fly without the need to push a policy.

Regards
tamas

-----Original Message-----
From: Mailing list for discussion of Firewall-1 
[mailto:[email protected]] On Behalf Of C. L. Martinez
Sent: Wednesday, December 14, 2011 9:27 AM
To: [email protected]
Subject: Re: [FW-1] A question about dynamic objects

Thanks, but not: I am not trying to do URL filtering ... I am trying to
allow to four servers to access only to smtp.gmail.com to send some emails
a day ... Nothing more. And yes, this rules is at the end of the ruleset.


On Tue, Dec 13, 2011 at 10:53 PM, Independent IT Consultant <
[email protected]> wrote:

> What exactly are you trying to do?
>
> Domain objects work (even with cnames), but are *VERY* resource intensive.
> There is *NO* caching done, so *EVERY* new session will require a new
> lookup. For services like GMAIL, this may become problematic.
>
> This is why CP strongly advocates that any rules involving DNS objects be
> placed at the end of the ruleset.
>
> It sounds to me like you're really trying to do a poor-man's URL
> filtering.  If so, quit the games and use URL filtering - either on the CP
> gateway or on an internal server.  The updates they made in R75.20 take it
> from barely functional to absolutely kick-arse...
>
>
>
> On Tue, Dec 13, 2011 at 4:37 PM, C. L. Martinez <[email protected]
> >wrote:
>
> > Uhmm ... It doesn't works, because smtp.gmail.com is resolved as a
> > wi-in-f108.1e100.net .... Then, do I need to create another domain
> object
> > with 1e100.net domain?? If it yes, I prefer to use IP's, although some
> > alerts are triggered ...
> >
> >
> >
> > On Tue, Dec 13, 2011 at 9:16 PM, Alexey Baltacov <[email protected]
> > >wrote:
> >
> > > Hi.
> > >
> > > The domain objects are used to resolve hostnames in rules.
> > >
> > > It's also not recommended to use such objects in beginning of rulebase
> > > because it can hardly affect the perfomance.
> > >
> > > In order to use it you should configure DNS servers on OS level. Please
> > use
> > > nearest DNS's as possible (located in LAN)
> > >
> > > Alexey
> > >
> > > On Dec 13, 2011 9:52 PM, "carlopmart" <[email protected]> wrote:
> > >
> > > > On Tue, 13 Dec 2011, Alexey Baltacov wrote:
> > > >
> > > >  You should use domain object instead.
> > > >> Dynamic objects used for edges dynamic policy
> > > >>
> > > >>
> > > > Thanks Alexei, but can I use domain objects to resolve hostnames unde
> > > > rules??
> > > >
> > > > Thanks.
> > > >
> > > > ---
> > > > CL Martinez
> > > > carlopmart {at} gmail {d0t} com
> > > >
> > > > ==============================**===================
> > > > To set vacation, Out-Of-Office, or away messages,
> > > > send an email to [email protected].**checkpoint.com<
> > > [email protected]>
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > ==============================**===================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > http://www.checkpoint.com/**services/mailing.html<
> > > http://www.checkpoint.com/services/mailing.html>
> > > > ==============================**===================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > [email protected]
> > > > ==============================**===================
> > > >
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [email protected]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [email protected]
> > > =================================================
> > >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Scanned by Check Point Total Security Gateway.
IƧ��[�(^rC��{S�֥I�.�+r�^���

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Reply via email to