topic Re: Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples in API / CLI Discussion

Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

Iain_King — Wed, 15 Nov 2017 11:04:27 GMT

Ever want to allow access to "google.com" or "google.com.au" or some large lists of A record hosts (like AWS or Azure hosted front end elastic load balancers.. or akamai hosted stuff etc)?

Domain objects not doing it for you? (reverse lookups only the first address)

Logical server objects not doing it for you (like they do in AWS/Azure autoscaling?)

Not on R80.10 yet?

Create a dynamic object as a destination.. then on the command line do the following:

The dynamic object name here is "dynamic_dns_hosts" and must match the dynamic object created in the policy editor (smartconsole).

[Expert@gw-913127:0]# dynamic_objects -n dynamic_dns_hosts

Operation completed successfully

To populate the dynamic object run the following:

[Expert@gw-913127:0]# dig +short my.changing.cloud.hostname.com google.com google.com.au|sort -u|awk '{print $1" "$1}'|xargs dynamic_objects -a -o dynamic_dns_hosts -r

Operation completed successfully

Log update success

Check the object has been updated (shows both in the logs in tracker as well):

[Expert@gw-913127:0]# dynamic_objects -l

object name : CPDShield
range 0 : 0.0.0.1 0.0.0.1

object name : dynamic_dns_hosts
range 0 : 34.210.127.64 34.210.127.64
range 1 : 34.213.84.59 34.213.84.59
range 2 : 35.160.229.160 35.160.229.160
range 3 : 35.163.99.121 35.163.99.121
range 4 : 54.148.3.136 54.148.3.136
range 5 : 54.186.179.15 54.186.179.15
range 6 : 54.187.44.205 54.187.44.205
range 7 : 54.244.5.167 54.244.5.167
range 8 : 172.217.25.35 172.217.25.35
range 9 : 216.58.203.110 216.58.203.110

Operation completed successfully

It's possible to write this into cron (scheduled_task) or run in a while loop. It's possible also to depopulate the object, delete the object and all the other things too.

If you're interested in doing this in python, there's some cool tools here (someone at checkpoint wrote it):

chkp / dynobj — Bitbucket

Re: Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

PhoneBoy — Tue, 07 May 2019 21:04:13 GMT

This is an old post, but found it as I was looking for something to help someone.
Also moved it to Code Hub as it seemed like a better place for it 🙂

Re: Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

Cihat_Bulut — Wed, 17 Jul 2019 11:26:59 GMT

Hi,

You can not use domain objects in NAT rules in R80. So you can use dynamic objects.

First create a file on your disk, such as /home/admin/file_on_your_disk.txt. Add host names line by line.

then create a script and add it to cron. If daily, you can use CP Job Scheduler. If frequency is less than a day then refer to sk77300.

-------------------------------------------------
#!/bin/sh

source /opt/CPshrd-R80/tmp/.CPprofile.sh

dig +short -f file_on_your_disk.txt | grep '^[.0-9]*$'| sort -u | awk '{print $1" "$1}' | xargs dynamic_objects -a -o dynamic_dns_hosts -r
-------------------------------------------------

Re: Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

PhoneBoy — Thu, 18 Jul 2019 08:02:35 GMT

You couldn't use Domain Objects in NAT rules in R77.x either as far as I know.

Re: Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

PhoneBoy — Thu, 18 Jun 2020 22:15:36 GMT

Looks like the new home for the dynobj code is: https://github.com/CheckPointSW/dynobj