This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_W23
Participant
a month ago

How do I create dynamic objects to reference a 1500 series SMB appliance configured with DAIP?

Hello Checkmates!

I am installing a 1500 series appliance behind a NAT device that will use a dynamic public IP address. The NAT device will port forward to the private IP on the WAN interface of the 1500. The 1500 WAN interface is set statically so port forwarding will work. I am using central management and both the 1500  and the SMS are running 81.10.

This is the first time I've used a DAIP configuration. I first created the gateway object in SmartConsole with the public IP that was in use at the time and was able to establish SIC and push policy. I have changed the gateway object to have a dynamic IP and set the topology so the WAN interface is listed as dynamic.

We use the gateway objects for a few rules in our policy, but when I try to use the DAIP enabled gateway object, policy installation fails because that is not allowed and I need to use a dynamic object in its place.

How do I create a dynamic object and link it to the DAIP gateway object so i can use it in a rule source or destination? The documentation and SK's I've come across seem to mostly reference SmartLSM, which we aren't using.

Do i need to set the WAN interface on the appliance to be DHCP and assign the IP via a reservation?

I intend on having dual ISPs and enabling VPN on the device eventually.

Thanks

Chris

 

 

0 Kudos
5 Replies
AmirArama
Employee
Employee
a month ago

Hi,
if the rule is intended to be installed on the DAIP GW itself, you can use something like: "LocalMachine_All_Interfaces" dynamic object. you can type: 'dynamic_objects -l' in SMB cli to see the available out of the box dynamic objects.

0 Kudos
Chris_W23
Participant
a month ago
In response to AmirArama

Thank you for the quick reply. For the rules, they would be on a different gateway, which would be the one that the SMS sits behind and will also be the other VPN endpoint.

0 Kudos
AmirArama
Employee
Employee
a month ago
In response to Chris_W23

If the SMB has a fixed IP on its interface, you can create another network object with the same IP and use it as the source or destination. Alternatively, you can limit the rule to traffic that passes only inside the VPN Community.

Currently, I’m not aware of another method to achieve an automatically updated dynamic object for a DAIP that would be translated correctly on a VPN peer—especially in Multi-ISP scenarios.
If the goal is to represent the dynamic NAT IP (assigned by a third party), I’m also not aware of a reliable way to accomplish an exact rule match. But perhaps someone else here has found a way.

0 Kudos
Chris_W23
Participant
3 weeks ago
In response to AmirArama

I'm still looking at this deployment problem I am having and I have a slightly different scenario.

I can have static public addresses for both of the ISPs that connect to the 1530 gateway and avoid NAT. Would that make the central management any different or do I still need to have the gateway object configured as DAIP?

In the different configurations I've been trying to make work, I've also noticed that the VPN doesn't failover to the second ISP when the active one is disconnected. Both ISPs work individually, however the failover function doesn't re-establish the tunnel it looks like.

 

0 Kudos
PhoneBoy
Admin
Admin
a month ago
In response to Chris_W23

LocalMachine_All_Interfaces is a "default" Dynamic Object.
Even if it doesn't exist on the target management server, you can easily create it and use it.
Any policy pushed using that object will resolve to all interface IPs on the gateway (use dynamic_objects -l to confirm).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events