topic Re: Cheat sheet for "dynamic" type objects references in Firewall and Security Management

Cheat sheet for "dynamic" type objects references

Kaspars_Zibarts — Fri, 09 May 2025 07:50:28 GMT

Updated May 2025!

I made presentation during CPX back in 2022 about the topic of objects that can keep rulebase up to date without actually installing policy (=helping automation and zero trust journey). There has been quite a few improvements since and I keep getting questions so I decided to make a reference point for myself here instead of trying to locate info every time I get asked

Name	Documentation	Requirements	Data formats	Brief summary
Custom Intelligence Feeds (IoC)	sk132193 Infinity IoC feeds	R80.30 + AB/AV blade	CSV or STIX XML	To be efficient, HTTPS inspection will be required It can only block and cannot be used as an object in rules CLI only (so each GW must be updated separately) before R81 Supports many data types: IP, URL, domain, Hashes etc. Infinity IoC feeds allows multiplexing of many external and internal feeds into one as well as publishing to be consumed by non-CP products and vendors.
Generic Datacenter object	sk167210	R81 + FW blade	JSON	IP as source data only (no domains nor URLs) Can be used in regular rules (drop and accept)
External Network feed	Security Management R81.20 Administration Guide	R81.20 + FW blade	Text or JSON	Technically the same principle as Updatable Objects IP and domains can be used as source data Can be used in regular rules Wildcards in domain names can be tricky, read manuals and test
Domain Objects (aka FQDN objects)	sk120633 - main article sk161612 - DNS passive learning sk161632 - domains tool	R80.10 + FW blade	CP Object	Domain names only (not URLs) Can be used in regular rules Wildcards (non-FQDN mode) can be tricky, read manuals and test Nothing to maintain externally
Dynamic Objects	skI1915 sk116367	R54 + FW blade	via CLI only	IP as source data only (no domains nor URLs) Can be used in regular rules (drop and accept) CLI updates only (so each GW must be updated separately) Must be scripted, won't update by itself
Updatable Objects	sk131852	R80.20 + FW blade	NA	Pre-defined by Check Point, cannot be modified Can be used in regular rules to accept and drop
IoT Protect	Quantum IoT Protect Administration Guide	R81.20 + IOT blade R81.10 is in EA	NA	Pre-defined by Check Point, cannot be modified Requires integration with CP Infinity cloud License is required! All-in-one does not work
Identity Roles	Identity Awareness Administration Guide	R77	NA	External sources that will map users to IPs dynamically Whole separate subject, but not to be forgotten
Data Center Query	Data Center Query Objects	R81.10	Tags obtained from DC	Query Object based on attributes across multiple data centers

Re: Cheat sheet for "dynamic" type objects references

Danny — Wed, 22 Mar 2023 09:06:24 GMT

Thanks for this great overview! 👍
Could you please make the SKs clickable (add a link to them)?
From my point of view these objects are dynamic as well:

Application Control objects and categories
Custom application regex's
IPS protections / Inspection settings
Security zone objects

Re: Cheat sheet for "dynamic" type objects references

_Val_ — Wed, 22 Mar 2023 11:36:08 GMT

Nice one, @Kaspars_Zibarts

Fixed the table width, also I second the request to add links 🙂

Re: Cheat sheet for "dynamic" type objects references

the_rock — Wed, 22 Mar 2023 11:42:16 GMT

Very nice, thanks for sharing! 👍

Re: Cheat sheet for "dynamic" type objects references

Kaspars_Zibarts — Wed, 22 Mar 2023 16:09:15 GMT

fixed! had very little time this morning, sorry 🙂

Re: Cheat sheet for "dynamic" type objects references

Kaspars_Zibarts — Thu, 23 Mar 2023 06:51:28 GMT

good point! I'll need to collect info before I do 🙂

Re: Cheat sheet for "dynamic" type objects references

tibbe — Mon, 27 Mar 2023 14:35:40 GMT

Thanks for the great info!

Re: Cheat sheet for "dynamic" type objects references

Pavel_Krejci — Tue, 28 Mar 2023 07:03:57 GMT

Very nice table!

I am missing data center object and data center QUERY objects:
https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminGuide/Topics-CGRDG/Integrating-with-Data-Center-Servers.htm?TocPath=Integrating%20with%20Data%20Center%20Servers%7C_____2#Data_Center_Query_Objects

Would be great to add it 😉

Thank you
Pavel

Re: Cheat sheet for "dynamic" type objects references

Sergej_Gurenko — Mon, 20 Nov 2023 20:31:09 GMT

This is precisely what I was looking for. I think this table should be published as SK. Great job!

What about IP Block / URL block feature? As per sk103154 it is "R80.30 / R80.40 without Anti-Virus or Anti-Bot, no longer the best practice" but perhaps still worth mentioning.

P.S. Here is fresh recorded session on the same subject - Tips and Tricks for Dynamic, Updatable, and API-Generated Objects

Re: Cheat sheet for "dynamic" type objects references

Kaspars_Zibarts — Mon, 20 Nov 2023 20:41:44 GMT

Great to hear that I just didn't waste my time for myself 🙂 will have to sit and update it!

Re: Cheat sheet for "dynamic" type objects references

Sergej_Gurenko — Fri, 16 Feb 2024 12:49:13 GMT

Hello, one quick question about dynamic objects. The customer is asking about managing the Check Point object using PUSH (e.g. MISP platform connecting to the CP and modifying the group of IPs directly) rather than PULL (e.g. checkpoint checking and downloading the feed from the Web server every N minutes). We have used PULL IoC feeds many times before, and the setup is clear.

I'm struggling to find an example of programming Check Point via the API - an example of REST code and authentication token generation. I tried to find an answer on https://developer.checkpoint.com/ but was quickly lost.

Re: Cheat sheet for "dynamic" type objects references

the_rock — Fri, 16 Feb 2024 13:04:56 GMT

EXCELLENT query @Sergej_Gurenko . I had one customer ask me about it while back, but I never bothered to open TAC case about it, as it was more their curiosity if it was possible or not, but would be nice to know, for sure.

Best,

Andy

Re: Cheat sheet for "dynamic" type objects references

Kaspars_Zibarts — Fri, 16 Feb 2024 13:19:35 GMT

I'm not entirely sure how MISP is pushing data (API, file transfer?), apologies for ignorance 🙂

But the first thing that came to my mind was that MISP could push a text (API/file) to an intermediate server and CP could use external network feeds to read it. Then you kind of meet in the middle: MISP still does PUSH and CP does the PULL 🙂

Re: Cheat sheet for "dynamic" type objects references

Sergej_Gurenko — Fri, 16 Feb 2024 13:27:21 GMT

I found the "Introduction" and "Tips & Best Practices" sections in Management API Reference fairly handy. As always, the ultimate answer would require a lab.

Re: Cheat sheet for "dynamic" type objects references

Sergej_Gurenko — Fri, 16 Feb 2024 13:37:29 GMT

Great suggestion. But If i recall correctly, the whole PUSH vs PULL discussion started due to the debate on who will be responsible for maintaining the web server with feed file.

I'm not a MISP (Malware Information Sharing Platform) expert either, but i believe it has a built-in functionality to export anything into any format and store on the local or remote server:

Re: Cheat sheet for "dynamic" type objects references

Kaspars_Zibarts — Fri, 16 Feb 2024 14:06:57 GMT

Technically you could even drop using SSH keys directly onto CP Mgmt, nothing to maintain 🙂 if SSH is supported by MISP

Re: Cheat sheet for "dynamic" type objects references

_Val_ — Fri, 16 Feb 2024 14:46:33 GMT

Hi @Sergej_Gurenko

Let's be clear about the term "dynamic object" I actually blame our own @Kaspars_Zibarts for this confusion, because his post subject should say UPDATABLE objects, not DYNAMIC objects.

Updatable objects are just that, a logical list of IPs from external feeds.

You really need something else, and we do call it a "dynamic object". It is in essence a logical container defined on the GW itself via CLI commands. It preceded Updatable Objects for a couple of decades, actually.

Please look on the CLI syntax for dynamic objects in the documentation. However, since the tech is a bit old, you will have to write your own scripts to automate it.

If you are looking for something with less automation effort, there is another thing you can leverage - Generic Data Center Objects. You will be able to feed info into json file to control it.

Re: Cheat sheet for "dynamic" type objects references

PhoneBoy — Fri, 16 Feb 2024 19:02:04 GMT

Pushing will require interacting with the Management API, which will include a policy installation to the relevant gateways.
Read the relevant API documentation:

login: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/login~v1.9.1%20
add-host: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-host~v1.9.1%20 (can add to an existing group in the same call)
publish: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/publish~v1.9.1%20
install-policy: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/install-policy~v1.9.1%20
logout: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/logout~v1.9.1%20

You will log in, add the hosts (one per API call), publish (should be done every ~100 or so calls for performance reasons).
Once you've published all the changes, you will need to install-policy on the relevant gateways.
Logout when done.

Re: Cheat sheet for "dynamic" type objects references

Nüüül — Thu, 08 May 2025 11:39:47 GMT

nice one! thanks - could you please edit "Dynamic Objects" SK? The link leads to a deleted article.

new one might be https://support.checkpoint.com/results/sk/sk116367