Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Employee Employee
Employee

Cheat sheet for "dynamic" type objects references

I made presentation during CPX back in 2022 about the topic of objects that can keep rulebase up to date without actually installing policy (=helping automation and zero trust journey). There has been quite a few improvements since and I keep getting questions so I decided to make a reference point for myself here instead of trying to locate info every time I get asked 

Name Documentation Requirements Data formats Brief summary
Custom Intelligence Feeds (IoC) sk132193 R80.30 + AB/AV blade CSV or STIX XML To be efficient, HTTPS inspection will be required
It can only block and cannot be used as an object in rules
CLI only (so each GW must be updated separately) before R81
Supports many data types: IP, URL, domain, Hashes etc.
Generic Datacenter object sk167210 R81 + FW blade JSON IP as source data only (no domains nor URLs)
Can be used in regular rules (drop and accept)
External Network feed Security Management R81.20 Administration Guide R81.20 + FW blade Text or JSON Technically the same principle as Updatable Objects
IP and domains can be used as source data
Can be used in regular rules
Wildcards in domain names can be tricky, read manuals and test
Domain Objects (aka FQDN objects) sk120633 - main article
sk161612 - DNS passive learning
sk161632 - domains tool
R80.10 + FW blade CP Object Domain names only (not URLs)
Can be used in regular rules
Wildcards (non-FQDN mode) can be tricky, read manuals and test
Nothing to maintain externally
Dynamic Objects skI1915 R54 + FW blade via CLI only IP as source data only (no domains nor URLs)
Can be used in regular rules (drop and accept)
CLI updates only (so each GW must be updated separately)
Must be scripted, won't update by itself
Updatable Objects sk131852  R80.20 + FW blade NA Pre-defined by Check Point, cannot be modified
Can be used in regular rules to accept and drop
IoT Protect Quantum IoT Protect Administration Guide 

R81.20 + IOT blade

R81.10 is in EA

NA

Pre-defined by Check Point, cannot be modified
Requires integration with CP Infinity cloud

License is required! All-in-one does not work

Identity Roles Identity Awareness Administration Guide  R77 NA External sources that will map users to IPs dynamically
Whole separate subject, but not to be forgotten
Data Center Query Data Center Query Objects  R81.10 Tags obtained from DC Query Object based on attributes across multiple data centers
(2)
17 Replies
Danny
Champion Champion
Champion

Thanks for this great overview! 👍
Could you please make the SKs clickable (add a link to them)?
From my point of view these objects are dynamic as well:

  • Application Control objects and categories
  • Custom application regex's
  • IPS protections / Inspection settings
  • Security zone objects
Kaspars_Zibarts
Employee Employee
Employee

good point! I'll need to collect info before I do 🙂

0 Kudos
_Val_
Admin
Admin

Nice one, @Kaspars_Zibarts 

Fixed the table width, also I second the request to add links 🙂 

Kaspars_Zibarts
Employee Employee
Employee

fixed! had very little time this morning, sorry 🙂

the_rock
Legend
Legend

Very nice, thanks for sharing! 👍

0 Kudos
tibbe
Explorer

Thanks for the great info!

0 Kudos
Pavel_Krejci
Employee
Employee

Very nice table!

I am missing data center object and data center QUERY objects:
https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminG...

Would be great to add it 😉

Thank you
Pavel

Sergej_Gurenko
Collaborator

This is precisely what I was looking for. I think this table should be published as SK. Great job!

What about IP Block / URL block feature? As per sk103154 it is "R80.30 / R80.40 without Anti-Virus or Anti-Bot, no longer the best practice" but perhaps still worth mentioning.

P.S. Here is fresh recorded session on the same subject - Tips and Tricks for Dynamic, Updatable, and API-Generated Objects

Kaspars_Zibarts
Employee Employee
Employee

Great to hear that I just didn't waste my time for myself 🙂 will have to sit and update it!

0 Kudos
Sergej_Gurenko
Collaborator

Hello, one quick question about dynamic objects. The customer is asking about managing the Check Point object using PUSH (e.g. MISP platform connecting to the CP and modifying the group of IPs directly) rather than PULL (e.g. checkpoint checking and downloading the feed from the Web server every N minutes). We have used PULL IoC feeds many times before, and the setup is clear.

I'm struggling to find an example of programming Check Point via the API - an example of REST code and authentication token generation. I tried to find an answer on https://developer.checkpoint.com/ but was quickly lost.

0 Kudos
the_rock
Legend
Legend

EXCELLENT query @Sergej_Gurenko . I had one customer ask me about it while back, but I never bothered to open TAC case about it, as it was more their curiosity if it was possible or not, but would be nice to know, for sure.

Best,

Andy

(1)
Sergej_Gurenko
Collaborator

I found the "Introduction" and "Tips & Best Practices" sections in Management API Reference fairly handy. As always, the ultimate answer would require a lab.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

I'm not entirely sure how MISP is pushing data (API, file transfer?), apologies for ignorance 🙂

But the first thing that came to my mind was that MISP could push a text (API/file) to an intermediate server and CP could use external network feeds to read it. Then you kind of meet in the middle: MISP still does PUSH and CP does the PULL 🙂

(1)
Sergej_Gurenko
Collaborator

Great suggestion. But If i recall correctly, the whole PUSH vs PULL discussion started due to the debate on who will be responsible for maintaining the web server with feed file.

 

I'm not a MISP (Malware Information Sharing Platform) expert either, but i believe it has a built-in functionality to export anything into any format and store on the local or remote server:

generating-iocs-to-export-in-json-format.jpg

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Technically you could even drop using SSH keys directly onto CP Mgmt, nothing to maintain 🙂 if SSH is supported by MISP

(1)
_Val_
Admin
Admin

Hi @Sergej_Gurenko 

Let's be clear about the term "dynamic object" I actually blame our own @Kaspars_Zibarts for this confusion, because his post subject should say UPDATABLE objects, not DYNAMIC objects.

Updatable objects are just that, a logical list of IPs from external feeds.

You really need something else, and we do call it a "dynamic object". It is in essence a logical container defined on the GW itself via CLI commands. It preceded Updatable Objects for a couple of decades, actually. 

Please look on the CLI syntax for dynamic objects in the documentation. However, since the tech is a bit old, you will have to write your own scripts to automate it.

If you are looking for something with less automation effort, there is another thing you can leverage - Generic Data Center Objects. You will be able to feed info into json file to control it.

(1)
PhoneBoy
Admin
Admin

Pushing will require interacting with the Management API, which will include a policy installation to the relevant gateways.
Read the relevant API documentation:

You will log in, add the hosts (one per API call), publish (should be done every ~100 or so calls for performance reasons).
Once you've published all the changes, you will need to install-policy on the relevant gateways.
Logout when done.

 

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events