- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Cheat sheet for "dynamic" type objects referen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cheat sheet for "dynamic" type objects references
I made presentation during CPX back in 2022 about the topic of objects that can keep rulebase up to date without actually installing policy (=helping automation and zero trust journey). There has been quite a few improvements since and I keep getting questions so I decided to make a reference point for myself here instead of trying to locate info every time I get asked
Name | Documentation | Requirements | Data formats | Brief summary |
Custom Intelligence Feeds (IoC) | sk132193 | R80.30 + AB/AV blade | CSV or STIX XML | To be efficient, HTTPS inspection will be required It can only block and cannot be used as an object in rules CLI only (so each GW must be updated separately) before R81 Supports many data types: IP, URL, domain, Hashes etc. |
Generic Datacenter object | sk167210 | R81 + FW blade | JSON | IP as source data only (no domains nor URLs) Can be used in regular rules (drop and accept) |
External Network feed | Security Management R81.20 Administration Guide | R81.20 + FW blade | Text or JSON | Technically the same principle as Updatable Objects IP and domains can be used as source data Can be used in regular rules Wildcards in domain names can be tricky, read manuals and test |
Domain Objects (aka FQDN objects) | sk120633 - main article sk161612 - DNS passive learning sk161632 - domains tool |
R80.10 + FW blade | CP Object | Domain names only (not URLs) Can be used in regular rules Wildcards (non-FQDN mode) can be tricky, read manuals and test Nothing to maintain externally |
Dynamic Objects | skI1915 | R54 + FW blade | via CLI only | IP as source data only (no domains nor URLs) Can be used in regular rules (drop and accept) CLI updates only (so each GW must be updated separately) Must be scripted, won't update by itself |
Updatable Objects | sk131852 | R80.20 + FW blade | NA | Pre-defined by Check Point, cannot be modified Can be used in regular rules to accept and drop |
IoT Protect | Quantum IoT Protect Administration Guide |
R81.20 + IOT blade R81.10 is in EA |
NA |
Pre-defined by Check Point, cannot be modified License is required! All-in-one does not work |
Identity Roles | Identity Awareness Administration Guide | R77 | NA | External sources that will map users to IPs dynamically Whole separate subject, but not to be forgotten |
Data Center Query | Data Center Query Objects | R81.10 | Tags obtained from DC | Query Object based on attributes across multiple data centers |
- Tags:
- kz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this great overview! 👍
Could you please make the SKs clickable (add a link to them)?
From my point of view these objects are dynamic as well:
- Application Control objects and categories
- Custom application regex's
- IPS protections / Inspection settings
- Security zone objects
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good point! I'll need to collect info before I do 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice one, @Kaspars_Zibarts
Fixed the table width, also I second the request to add links 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fixed! had very little time this morning, sorry 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very nice, thanks for sharing! 👍
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the great info!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very nice table!
I am missing data center object and data center QUERY objects:
https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminG...
Would be great to add it 😉
Thank you
Pavel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is precisely what I was looking for. I think this table should be published as SK. Great job!
What about IP Block / URL block feature? As per sk103154 it is "R80.30 / R80.40 without Anti-Virus or Anti-Bot, no longer the best practice" but perhaps still worth mentioning.
P.S. Here is fresh recorded session on the same subject - Tips and Tricks for Dynamic, Updatable, and API-Generated Objects
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great to hear that I just didn't waste my time for myself 🙂 will have to sit and update it!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, one quick question about dynamic objects. The customer is asking about managing the Check Point object using PUSH (e.g. MISP platform connecting to the CP and modifying the group of IPs directly) rather than PULL (e.g. checkpoint checking and downloading the feed from the Web server every N minutes). We have used PULL IoC feeds many times before, and the setup is clear.
I'm struggling to find an example of programming Check Point via the API - an example of REST code and authentication token generation. I tried to find an answer on https://developer.checkpoint.com/ but was quickly lost.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EXCELLENT query @Sergej_Gurenko . I had one customer ask me about it while back, but I never bothered to open TAC case about it, as it was more their curiosity if it was possible or not, but would be nice to know, for sure.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the "Introduction" and "Tips & Best Practices" sections in Management API Reference fairly handy. As always, the ultimate answer would require a lab.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not entirely sure how MISP is pushing data (API, file transfer?), apologies for ignorance 🙂
But the first thing that came to my mind was that MISP could push a text (API/file) to an intermediate server and CP could use external network feeds to read it. Then you kind of meet in the middle: MISP still does PUSH and CP does the PULL 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great suggestion. But If i recall correctly, the whole PUSH vs PULL discussion started due to the debate on who will be responsible for maintaining the web server with feed file.
I'm not a MISP (Malware Information Sharing Platform) expert either, but i believe it has a built-in functionality to export anything into any format and store on the local or remote server:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Technically you could even drop using SSH keys directly onto CP Mgmt, nothing to maintain 🙂 if SSH is supported by MISP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Sergej_Gurenko
Let's be clear about the term "dynamic object" I actually blame our own @Kaspars_Zibarts for this confusion, because his post subject should say UPDATABLE objects, not DYNAMIC objects.
Updatable objects are just that, a logical list of IPs from external feeds.
You really need something else, and we do call it a "dynamic object". It is in essence a logical container defined on the GW itself via CLI commands. It preceded Updatable Objects for a couple of decades, actually.
Please look on the CLI syntax for dynamic objects in the documentation. However, since the tech is a bit old, you will have to write your own scripts to automate it.
If you are looking for something with less automation effort, there is another thing you can leverage - Generic Data Center Objects. You will be able to feed info into json file to control it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pushing will require interacting with the Management API, which will include a policy installation to the relevant gateways.
Read the relevant API documentation:
- login: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/login~v1.9.1%20
- add-host: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-host~v1.9.1%20 (can add to an existing group in the same call)
- publish: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/publish~v1.9.1%20
- install-policy: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/install-policy~v1.9.1%20
- logout: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/logout~v1.9.1%20
You will log in, add the hosts (one per API call), publish (should be done every ~100 or so calls for performance reasons).
Once you've published all the changes, you will need to install-policy on the relevant gateways.
Logout when done.