cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Updateable Objects and NAT

One of the best new features in R80.20 is updateable objects. You can read more here

I had a customer that asked specifically about using them in NAT rules as they wanted a separate HIDE-NAT for outbound access to public Azure vs their private Azure VN. We discovered that the updateable objects could not be used in NAT rules. 

After some digging, we determined that updateable objects when used created a dynamic object on the gateway. You can display them using 'dynamic_objects -uo_show' on the gateway. As you can see below the object has a dynamic object link but not a dynamic object created in smartdashboard, the updateable seems to be a link to this object. 

Screen Shot 2019-04-24 at 10.11.30 AM.pngdynamic_object -uo_show

 

Screen Shot 2019-04-24 at 10.11.50 AM.png

 

If you use the name from 'dynamic_objects -uo_show'  you can create a dynamic object using the same name. This will create a physically link to the dynamic object that was created by the updateable object. You can then use that dynamic object in a NAT rule.

Screen Shot 2019-04-24 at 11.45.58 AM.png

 

You can see the log below;

Screen Shot 2019-04-24 at 11.45.26 AM.png

 

 

10 Replies

Re: Updateable Objects and NAT

Special hack:-)

Add a small bash script on the management server to do the following:

1) Add and remove an object (for example a host or network)  and a NAT rule via management CLI on the management server. This new object is not a dynamic object but can used for NAT.

2) Add a new rule with a dynamic object via management CLI.

3) Use my script from the following Checkmates article to execute remote commands on the gateway from the management server and add the IP adresses to the dynamic objekts on the gateway.

Link to Checkmates article:

GAIA - Easy execute CLI commands from management on gateways

 

 

Tags (1)
Highlighted

Re: Updateable Objects and NAT

If necessary you do not need points 2 and 3 from my last instructions.

Tags (1)
0 Kudos

Re: Updateable Objects and NAT

Nice find!  This would be very helpful in another context if you could use Dynamic Objects (or Updateable Objects) in the HTTPS Inspection policy.

Admin
Admin

Re: Updateable Objects and NAT

Amazing find!

0 Kudos

Re: Updateable Objects and NAT

This is a great find. I find myself in a similar situation regarding Azure Express Route. Does anyone know if this is officially supported by Checkpoint?

Thanks,

Jon

0 Kudos
Admin
Admin

Re: Updateable Objects and NAT

Will admit, I don't know the official stance on this.
However, NAT with Dynamic Objects is considered generally supported.
0 Kudos

Re: Updateable Objects and NAT

Thanks for the prompt response, are there any dynamic objects predefined for Azure Regions etc in R80.20 / .30? 

Thanks,

Jon

0 Kudos

Re: Updateable Objects and NAT

there are updateable objects. The dynamic objects you would have to manually define. 

0 Kudos

Re: Updateable Objects and NAT

Just one performance-related note to add: when a Dynamic Object is referenced in a NAT rule and the Dynamic Object is updated, this will cause an immediate flush of the entire NAT Cache (table fwx_cache) which is used to cache successful lookups in the NAT policy.  Installing policy to the gateway also causes an immediate flush of fwx_cache regardless of whether Dynamic Objects are used. 

This really shouldn't be a big deal performance-wise, but if for some reason the Dynamic Object is taking updates constantly, it may cause slightly higher Firewall Worker instance CPU utilization for policies with a large number of NAT rules, due to lots of extra NAT rulebase lookups occurring.  SecureXL NAT Templates (a separate mechanism for caching NAT operations for connections matched by Accept Templates) are not flushed when a Dynamic Object is updated due to the use of NMR templates.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos

Re: Updateable Objects and NAT

Very Nice! Please add a offical sk for this
0 Kudos