cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Ivory

Dynamic Objects

Dear Mates,

Kindly advise me is there any possibility to map dynamically learned IPs via access roles (LDAP) to dynamic objects and can it be used in NAT.

0 Kudos
4 Replies
Highlighted
Admin
Admin

Re: Dynamic Objects

See if there are Dynamic Objects created similar to Updatable Objects as shown here: https://community.checkpoint.com/t5/General-Management-Topics/Updateable-Objects-and-NAT/m-p/51758
If so, you can probably use the same trick.
Otherwise, you'd have to write a script to periodically update the Dynamic Objects based on what IDA has learned.
Either way Dynamic Objects can be used for NAT.

I am curious about the use case, though.
Can you explain?
0 Kudos
Highlighted
Ivory

Re: Dynamic Objects

Thank you for your prompt reply

My Use Case details as follows.

Currently we are using proxy server to control the internet access within corporate environment.

With our recent checkpoint HW upgrade we are hoping to integrate internet access control function using Active Directory Authentication (identity awareness - Access roles).

But the problem is, I have to create NAT rule for any source to hide the internet traffic behind public interface.

Since the GW learns all the machine IPs via LDAP, Can I use Dynamic objects for this purpose.

 

0 Kudos
Highlighted
Admin
Admin

Re: Dynamic Objects

With appropriate access control rules in place, NAT won't even apply as the connection will be blocked to begin with.
Everyone outbound will hit some sort of generic NAT rule.
Guess I'm not seeing the value a dynamic object will add to this.
0 Kudos
Highlighted

Re: Dynamic Objects

I think you are trying to make it too complicated. You do know which networks will go to internet. Make the NAT Hide from the beginning.

Use Identity Awareness User Role in the Access rule to allow only certain users to go out. No hustle, no dynamic objects to complicate your policies and troubleshooting.

0 Kudos