This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Trevor_Bruss
Contributor
‎2020-05-28 10:26 AM

Use of LocalMachine object

Is anyone using this object directly in their rulebase and is there any problems with its use? I noticed that it was used in implied rules. We want to create a rule for SNMP management of our systems and thought this could dynamically include any gateway that this policy is applied to.

 

What is the difference in using this object as opposed to creating a group with the gateway objects themselves? Does the gateway object only refer to the IPv4 Address on the general properties of the FW object, or is it smart enough to see all of its interfaces? 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-05-28 01:01 PM

LocalMachine is an example of a Dynamic Object.
If you open the object, you'll notice that there is no IP address associated with it.
The IPs are locally defined on the gateway.
LocalMachine is one of the default ones the gateway updates on its own, which I believe only resolves to the external IP.
If you want all interface IPs, then use LocalMachine_All_Interfaces.
You can create arbitrary dynamic objects and update their definitions using the dynamic_objects CLI command on the gateway.

A couple small limitations with Dynamic Objects:
1. They can be used in Access Policy and NAT rules only.
2. In pre-R80.10 gateway releases, usage in the policy disables SecureXL templating for that rule and any rule after, leading to decreased performance (R80.10+ does not have this limitation).
3. Any Access Policy rule that uses a dynamic object must have an explicit "Install On" target, otherwise policy installation will fail.
0 Kudos
Trevor_Bruss
Contributor
‎2020-05-28 01:13 PM
In response to PhoneBoy

Thanks for that information. The last part about using "Install On" probably explains the error I saw when trying to push the policy without doing that on the rule and just using *Policy Targets. I could likely produce the error again by setting up the rule again, but it was something along the lines of the DAIP configured on the members. In either case, for now I'm just targeting the GW objects as the source and leaving it at that.

 

So I guess that begs the question, if I can use the dynamic object but I still need to target it toward a specific gateway on the rule then do I gain any benefits from using that dynamic object over a simple group with the targeted gateway objects in it and "Install On" set to Policy Targets. Perhaps that was where I was trying to understand if the Checkpoint GW object "sees" all the interfaces and therefore it can match regardless of which interface it goes out/in.

 

Thank you again for the information!

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-28 01:55 PM
In response to Trevor_Bruss

Dynamic Objects can be updated without a policy installation, whereas if you manually put the group in a rule, if you update that group or any objects contained therein, it requires a policy installation to take effect.
Remember also that Dynamic Objects resolve locally on each gateway, so the rule has to make sense in the context of the gateway itself.
Which means, in this specific case, it would make sense as a destination in a rule, but not as a source.
0 Kudos