This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prime
Contributor
‎2020-07-08 04:03 AM

How to configure external dynamic lists in Checkpoint

need to configure external dynamic lists in Checkpoint

0 Kudos
10 Replies
_Val_
Admin
Admin
‎2020-07-08 05:12 AM

Please elaborate, it is unclear what you are trying to achieve.

0 Kudos
Prime
Contributor
‎2020-07-08 05:26 AM
In response to _Val_

Currently we are using the Palo Alto firewall for dynamic list however as per Palo Alto there is no way to extend the limit of 50000 IPs in the Palo Alto Firewall so the alternative is to block on the core Checkpoint firewall.
These are public IPs that will be blocked.

Version-R80.10 HOTFIX_R80_10_JUMBO_HF Take: 151
0 Kudos
_Val_
Admin
Admin
‎2020-07-08 05:34 AM
In response to Prime

Ok, that's clear enough. So you have a list of IP addresses, and you want to block them on your FWs.

You can use the notion of a dynamic object, explained here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Dynamic object is basically an empty logical box that can be used in the rules and should be filled with IP addresses on the GW side. Mind, you will need to script the population of the dynamic object in use with GW side scripting.

Another option is to use MGMT API and fill in a certain group on the management side, but every time the list is changed, you will have to re-push policy on GWs.

0 Kudos
Prime
Contributor
‎2020-07-14 01:49 AM
In response to _Val_

In the link you provided it says that “A Dynamic Object is a "logical" object that will be resolved to an IP address differently on each Security Gateway using the dynamic_objects command. A rule that uses this Dynamic Object will then be enforced on each Security Gateway on different objects.”
 
I think there is some misunderstanding in the requirement.

0 Kudos
Ruan_Kotze
Advisor
‎2020-07-14 01:58 AM
In response to Prime

Have a look at sk132193 - it describes how to subscribe a gateway to a Custom Intelligence Feed.  Sounds like that might be a better match for your requirements?

Thanks,
Ruan

_Val_
Admin
Admin
‎2020-07-14 02:48 AM
In response to Ruan_Kotze

That is also an option

 

0 Kudos
_Val_
Admin
Admin
‎2020-07-14 02:06 AM
In response to Prime

It does not have to be resolved to _different_ IPs on _different_ GWs. It is up to you to decide how you populate your Dynamic Object

0 Kudos
Prime
Contributor
‎2020-07-15 02:14 AM
In response to _Val_

The below article also mentions blocking of IP addresses on Checkpoint and is for the OS version we have. Please check.

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
_Val_
Admin
Admin
‎2020-07-15 03:00 AM
In response to Prime

Not exactly sure what you expect me to check here. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-18 04:27 PM

There are several ways to do this with some assembly required.
This older thread is still applicable and discusses several options: https://community.checkpoint.com/t5/Policy-Management/list-of-different-IP-addresses-to-be-blocked/m...

In R81, we should also have custom Updatable Objects that can be fed from your own JSON file.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top