Dynamic objects...Have I got the wrong idea

[Brentd]

Hi all

I had thought that a dynamic object could be used to reference a name that would be automatically resolved by the GW which seems partially true from my research.

I actually wanted the object to be resolved by either DNS or a hosts file at the firewall but the more I read, the more I have found the IP address ranges are defined by the dynamic_objects command on the firewall...

Can someone please tell me if I am missing something here and whether it is actually possible to resolve these names automatically?

Thanks
Brent

[Thorpuse]

Nope. That's about right - you need to use the dynamic_objects command on the gateway to prepare the objects that will be resolved by the dynamic object. This will not be based on NDS or hosts files.

CP should put this in the SmartDashboard. Manually configuring files on gateways is sooo Cisco... :)

[mcarey]

So I want to create a Global rule that allows my "Admin-Subnet" HTTPS and SSH access to the firewall itself.

I was hoping to have the rule as:

Source: Admin-Subnet
Destination: DynamicObject_Firewall

So instead of creating a group with all the firewalls in it, I have one Dynamic Object that recognizes when the global policy is on Firewall A, the destination would be to Firewall A. That way, when a new security gateway is added to SmartDashboard, it is already inherently in that Dynamic Object, I don't have to add it to a Simple Group.

It sounds like I would have to go to each firewall and add a host entry that is

DynamicObject_Firewall 10.1.1.1 (or whatever that specific firewall Management IP address is?)

Doesn't this just move all the work from the SmartDashboard to the secure gateway itself?

[Brentd]

It actually seems like we are doing work on both the dashboard and the firewall as well...

I get the point, I guess, that we could add/update to the dynamic object on the firewall via a script and hence make a change without having to push a policy (in my testing it picks up the new info after a few minutes automatically) and this could be useful in some cases, but I really wanted to have something that was automatically resolved because a certain IP might be allocated by DHCP but the FQDN always remains the same, hence the rule containing the FQDN would always be correct (if DNS was updated fast enough). I guess this is out of the question after hearing this discussion? The only way I could see to do this was to have a script determine there has been a change to the allocated IP and automatically modify the dyn obj on the firewall?

Thanks for all the help!
Brent

[mcnallym]

This isn't what dynamic objects are for!


mcarey

For what you want then it is much much simpler to define a simple group and then simply add the firewall object to that group.

It is much simpler then having to login to the cli of the box and define the object for the box. These are not host entries but are defined in the same way as the ISP-A and ISP-B objects for ISP Redundancy.

dynamic_objects -n DYN_ISP_A
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a

Is how you define dynamic objects.

If you want it too look at a DNS Server or host entry, then you would need to define as a domain object, in which case it will lookup in DNS/Host File to resolve the object.

Check Point normally suggest that don't use Domain Objects as resource intensive, also every time the rule is looked at then it will perfrm a lookup.


The idea of dynamic objects is for SMARTLSM and Robo Gateways where you can define an internal_net object and use as a rule pushed to all robo gateways.

ie

Internal_Net

dynamic_objects -n Internal_Net
dynamic_objects -o DYN_ISP_A -r 10.40.10.0 255.255.255.0 -a

on one box and then

dynamic_objects -n Internal_Net
dynamic_objects -o DYN_ISP_A -r 10.50.10.0 255.255.255.0 -a

on a second etc.

You would then use as

Src = Internal_Net
Dst = Any
Srv = http, https,
Action = Accept

Which is pushed to each robo gateway and it looks at it's own local definition for what Internal_Net is.