This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mangala
Explorer
‎2020-03-02 04:56 PM

Dynamic Objects

Dear Mates,

Kindly advise me is there any possibility to map dynamically learned IPs via access roles (LDAP) to dynamic objects and can it be used in NAT.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-03-02 09:47 PM

See if there are Dynamic Objects created similar to Updatable Objects as shown here: https://community.checkpoint.com/t5/General-Management-Topics/Updateable-Objects-and-NAT/m-p/51758
If so, you can probably use the same trick.
Otherwise, you'd have to write a script to periodically update the Dynamic Objects based on what IDA has learned.
Either way Dynamic Objects can be used for NAT.

I am curious about the use case, though.
Can you explain?
0 Kudos
mangala
Explorer
‎2020-03-03 01:15 AM
In response to PhoneBoy

Thank you for your prompt reply

My Use Case details as follows.

Currently we are using proxy server to control the internet access within corporate environment.

With our recent checkpoint HW upgrade we are hoping to integrate internet access control function using Active Directory Authentication (identity awareness - Access roles).

But the problem is, I have to create NAT rule for any source to hide the internet traffic behind public interface.

Since the GW learns all the machine IPs via LDAP, Can I use Dynamic objects for this purpose.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-03 07:36 AM
In response to mangala

With appropriate access control rules in place, NAT won't even apply as the connection will be blocked to begin with.
Everyone outbound will hit some sort of generic NAT rule.
Guess I'm not seeing the value a dynamic object will add to this.
0 Kudos
_Val_
Admin
Admin
‎2020-03-03 08:01 AM
In response to mangala

I think you are trying to make it too complicated. You do know which networks will go to internet. Make the NAT Hide from the beginning.

Use Identity Awareness User Role in the Access rule to allow only certain users to go out. No hustle, no dynamic objects to complicate your policies and troubleshooting.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top