Iain King

Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

Discussion created by Iain King on Nov 15, 2017

Ever want to allow access to "google.com" or "google.com.au" or some large lists of A record hosts (like AWS or Azure hosted front end elastic load balancers.. or akamai hosted stuff etc)?


Domain objects not doing it for you? (reverse lookups only the first address)

Logical server objects not doing it for you (like they do in AWS/Azure autoscaling?)

Not on R80.10 yet?


Create a dynamic object as a destination.. then on the command line do the following:


The dynamic object name here is "dynamic_dns_hosts" and must match the dynamic object created in the policy editor (smartconsole).



[Expert@gw-913127:0]# dynamic_objects -n dynamic_dns_hosts

Operation completed successfully


To populate the dynamic object run the following:


[Expert@gw-913127:0]# dig +short my.changing.cloud.hostname.com google.com google.com.au|sort -u|awk '{print $1" "$1}'|xargs dynamic_objects -a -o dynamic_dns_hosts -r

Operation completed successfully

Log update success



Check the object has been updated (shows both in the logs in tracker as well):



[Expert@gw-913127:0]# dynamic_objects -l

object name : CPDShield
range 0 :


object name : dynamic_dns_hosts
range 0 :
range 1 :
range 2 :
range 3 :
range 4 :
range 5 :
range 6 :
range 7 :
range 8 :
range 9 :

Operation completed successfully



It's possible to write this into cron (scheduled_task) or run in a while loop. It's possible also to depopulate the object, delete the object and all the other things too.


If you're interested in doing this in python, there's some cool tools here (someone at checkpoint wrote it):


chkp / dynobj — Bitbucket