Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

How to configure external dynamic lists in Checkpoint

need to configure external dynamic lists in Checkpoint

0 Kudos
10 Replies
Highlighted
Admin
Admin

Please elaborate, it is unclear what you are trying to achieve.

0 Kudos
Highlighted
Ivory

Currently we are using the Palo Alto firewall for dynamic list however as per Palo Alto there is no way to extend the limit of 50000 IPs in the Palo Alto Firewall so the alternative is to block on the core Checkpoint firewall.
These are public IPs that will be blocked.

Version-R80.10 HOTFIX_R80_10_JUMBO_HF Take: 151
0 Kudos
Highlighted
Admin
Admin

Ok, that's clear enough. So you have a list of IP addresses, and you want to block them on your FWs.

You can use the notion of a dynamic object, explained here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Dynamic object is basically an empty logical box that can be used in the rules and should be filled with IP addresses on the GW side. Mind, you will need to script the population of the dynamic object in use with GW side scripting.

Another option is to use MGMT API and fill in a certain group on the management side, but every time the list is changed, you will have to re-push policy on GWs.

0 Kudos
Highlighted
Ivory

In the link you provided it says that “A Dynamic Object is a "logical" object that will be resolved to an IP address differently on each Security Gateway using the dynamic_objects command. A rule that uses this Dynamic Object will then be enforced on each Security Gateway on different objects.”
 
I think there is some misunderstanding in the requirement.

0 Kudos
Highlighted
Copper

Have a look at sk132193 - it describes how to subscribe a gateway to a Custom Intelligence Feed.  Sounds like that might be a better match for your requirements?

Thanks,
Ruan

0 Kudos
Highlighted
Admin
Admin

That is also an option

 

0 Kudos
Highlighted
Admin
Admin

It does not have to be resolved to _different_ IPs on _different_ GWs. It is up to you to decide how you populate your Dynamic Object

0 Kudos
Highlighted
Ivory

The below article also mentions blocking of IP addresses on Checkpoint and is for the OS version we have. Please check.

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Highlighted
Admin
Admin

Not exactly sure what you expect me to check here. 

0 Kudos
Highlighted
Admin
Admin

There are several ways to do this with some assembly required.
This older thread is still applicable and discusses several options: https://community.checkpoint.com/t5/Policy-Management/list-of-different-IP-addresses-to-be-blocked/m...

In R81, we should also have custom Updatable Objects that can be fed from your own JSON file.

0 Kudos