The dynamic objects purpose is not to resolve hostnames to up and it cannot be used for resolve smtp.google.com
On Dec 14, 2011 7:29 PM, "Folnagy, Tamas" <[email protected]> wrote: > You can use dynamic objects, it will work on all platforms, not just edge. > Just place it in the rulebase (towards the end is the better) and then use > a script that runs from cron (for example) on the gateway that updates the > dynamic object group on the fly with the resolved IP's or IP ranges you > want in there. > > E.g: In Dashboard create 2 new dynamic objects. One called Dyn_EXT the > other called Dyn_Int, create services and action (drop/accept w/e). Push > the policy to the gateway. > > Now, on the gateway you need to create these two group objects with the > dynamic_objects command. > I create the group plus add a range within one command as below: > dynamic_objects -n Dyn_EXT -r 1.1.1.1 1.1.1.10 -a > dynamic_objects -n Dyn_INT -r 2.2.2.1 2.2.2.10 -a > > You should get "Operation Completed Successfully" message. At this point > you can list the dynamic groups and the contents with "dynamic_objects -l". > Verify the proper ranges. Now you are all set, whatever IP's or ranges you > add into these objects, the rule created within dashboard will take effect. > I use this to update some IP's on the fly without the need to push a policy. > > Regards > tamas > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > [email protected]] On Behalf Of C. L. Martinez > Sent: Wednesday, December 14, 2011 9:27 AM > To: [email protected] > Subject: Re: [FW-1] A question about dynamic objects > > Thanks, but not: I am not trying to do URL filtering ... I am trying to > allow to four servers to access only to smtp.gmail.com to send some emails > a day ... Nothing more. And yes, this rules is at the end of the ruleset. > > > On Tue, Dec 13, 2011 at 10:53 PM, Independent IT Consultant < > [email protected]> wrote: > > > What exactly are you trying to do? > > > > Domain objects work (even with cnames), but are *VERY* resource > intensive. > > There is *NO* caching done, so *EVERY* new session will require a new > > lookup. For services like GMAIL, this may become problematic. > > > > This is why CP strongly advocates that any rules involving DNS objects be > > placed at the end of the ruleset. > > > > It sounds to me like you're really trying to do a poor-man's URL > > filtering. If so, quit the games and use URL filtering - either on the > CP > > gateway or on an internal server. The updates they made in R75.20 take > it > > from barely functional to absolutely kick-arse... > > > > > > > > On Tue, Dec 13, 2011 at 4:37 PM, C. L. Martinez <[email protected] > > >wrote: > > > > > Uhmm ... It doesn't works, because smtp.gmail.com is resolved as a > > > wi-in-f108.1e100.net .... Then, do I need to create another domain > > object > > > with 1e100.net domain?? If it yes, I prefer to use IP's, although some > > > alerts are triggered ... > > > > > > > > > > > > On Tue, Dec 13, 2011 at 9:16 PM, Alexey Baltacov <[email protected] > > > >wrote: > > > > > > > Hi. > > > > > > > > The domain objects are used to resolve hostnames in rules. > > > > > > > > It's also not recommended to use such objects in beginning of > rulebase > > > > because it can hardly affect the perfomance. > > > > > > > > In order to use it you should configure DNS servers on OS level. > Please > > > use > > > > nearest DNS's as possible (located in LAN) > > > > > > > > Alexey > > > > > > > > On Dec 13, 2011 9:52 PM, "carlopmart" <[email protected]> wrote: > > > > > > > > > On Tue, 13 Dec 2011, Alexey Baltacov wrote: > > > > > > > > > > You should use domain object instead. > > > > >> Dynamic objects used for edges dynamic policy > > > > >> > > > > >> > > > > > Thanks Alexei, but can I use domain objects to resolve hostnames > unde > > > > > rules?? > > > > > > > > > > Thanks. > > > > > > > > > > --- > > > > > CL Martinez > > > > > carlopmart {at} gmail {d0t} com > > > > > > > > > > ==============================**=================== > > > > > To set vacation, Out-Of-Office, or away messages, > > > > > send an email to [email protected].**checkpoint.com< > > > > [email protected]> > > > > > in the BODY of the email add: > > > > > set fw-1-mailinglist nomail > > > > > ==============================**=================== > > > > > To unsubscribe from this mailing list, > > > > > please see the instructions at > > > > > http://www.checkpoint.com/**services/mailing.html< > > > > http://www.checkpoint.com/services/mailing.html> > > > > > ==============================**=================== > > > > > If you have any questions on how to change your > > > > > subscription options, email > > > > > [email protected] > > > > > ==============================**=================== > > > > > > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to [email protected] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [email protected] > > > > ================================================= > > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [email protected] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [email protected] > > > ================================================= > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > IƧ ç[È(^rCèŠ{S¢Ö¥Iç.®+r «^Á¬ÿ > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
