Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
One of the best new features in R80.20 is updateable objects. You can read more here
I had a customer that asked specifically about using them in NAT rules as they wanted a separate HIDE-NAT for outbound access to public Azure vs their private Azure VN. We discovered that the updateable objects could not be used in NAT rules.
After some digging, we determined that updateable objects when used created a dynamic object on the gateway. You can display them using 'dynamic_objects -uo_show' on the gateway. As you can see below the object has a dynamic object link but not a dynamic object created in smartdashboard, the updateable seems to be a link to this object.
If you use the name from 'dynamic_objects -uo_show' you can create a dynamic object using the same name. This will create a physically link to the dynamic object that was created by the updateable object. You can then use that dynamic object in a NAT rule.
You can see the log below;
Initially I screamed of joy as we are facing exactly the same issue and after adding dynamic object (DO) it all looked good until i noticed that some O365 traffic began to miss updatable object (UO) rule and instead used "overflow" rule that's based on our own script to capture O365 IPs. Up until I created and pushed that dynamic object we had zero hits on overflow rule! So it looks like you should thread this very carefully - I have a feeling that pre-defined name of UO and manually created DO name somehow are clashing. After removing DO object completely and pushing policy, we got back to normal situation
This is a really cool way for me to be able to use NAT rules for inbound traffic from O365 when doing things like exchange hybrid configurations to lock down access to specific directories through F5 VIP's, and I've implemented this in an environment but after pushing the policy install i've started to receive error logs around DNS - mostly in relation to what's outlined here. Although i'm running R80.30 JHF 155 and this isn't occuring when creating Domain objects, instead Dynamic Objects.
During the first policy install the environmental changes were to create a security rule referencing the updateable objects (Azure/O365), to populate the dynamic object database on the gateway, then the errors started occurring when installing the NAT rule changes to reference them (screenshot example below)
I've created a TAC case regarding this, as it's certainly odd behavior but i'm just curious if anyone else has ran into a similar issue?
