This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Iain_King
Collaborator
‎2017-11-15 03:04 AM

Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

Ever want to allow access to "google.com" or "google.com.au" or some large lists of A record hosts (like AWS or Azure hosted front end elastic load balancers.. or akamai hosted stuff etc)?

Domain objects not doing it for you? (reverse lookups only the first address)

Logical server objects not doing it for you (like they do in AWS/Azure autoscaling?)

Not on R80.10 yet?

Create a dynamic object as a destination.. then on the command line do the following:

The dynamic object name here is "dynamic_dns_hosts" and must match the dynamic object created in the policy editor (smartconsole).

//

[Expert@gw-913127:0]# dynamic_objects -n dynamic_dns_hosts

Operation completed successfully

To populate the dynamic object run the following:

[Expert@gw-913127:0]# dig +short my.changing.cloud.hostname.com google.com google.com.au|sort -u|awk '{print $1" "$1}'|xargs dynamic_objects -a -o dynamic_dns_hosts -r

Operation completed successfully

Log update success

//

Check the object has been updated (shows both in the logs in tracker as well):

//

[Expert@gw-913127:0]# dynamic_objects -l

object name : CPDShield
range 0 : 0.0.0.1 0.0.0.1

object name : dynamic_dns_hosts
range 0 : 34.210.127.64 34.210.127.64
range 1 : 34.213.84.59 34.213.84.59
range 2 : 35.160.229.160 35.160.229.160
range 3 : 35.163.99.121 35.163.99.121
range 4 : 54.148.3.136 54.148.3.136
range 5 : 54.186.179.15 54.186.179.15
range 6 : 54.187.44.205 54.187.44.205
range 7 : 54.244.5.167 54.244.5.167
range 8 : 172.217.25.35 172.217.25.35
range 9 : 216.58.203.110 216.58.203.110

Operation completed successfully

//

It's possible to write this into cron (scheduled_task) or run in a while loop. It's possible also to depopulate the object, delete the object and all the other things too.

If you're interested in doing this in python, there's some cool tools here (someone at checkpoint wrote it):

chkp / dynobj — Bitbucket 

4 Replies
PhoneBoy
Admin
Admin
‎2019-05-07 02:04 PM

This is an old post, but found it as I was looking for something to help someone.
Also moved it to Code Hub as it seemed like a better place for it 🙂
Cihat_Bulut
Contributor
Contributor
‎2019-07-17 04:24 AM
In response to PhoneBoy

Hi,

You can not use domain objects in NAT rules in R80. So you can use dynamic objects.

First create a file on your disk, such as /home/admin/file_on_your_disk.txt. Add host names line by line.

then create a script and add it to cron. If daily, you can use CP Job Scheduler. If frequency is less than a day then refer to sk77300.

-------------------------------------------------
#!/bin/sh

source /opt/CPshrd-R80/tmp/.CPprofile.sh

dig +short -f file_on_your_disk.txt | grep '^[.0-9]*$'| sort -u | awk '{print $1" "$1}' | xargs dynamic_objects -a -o dynamic_dns_hosts -r
-------------------------------------------------

BR

PhoneBoy
Admin
Admin
‎2019-07-18 01:02 AM
In response to Cihat_Bulut

You couldn't use Domain Objects in NAT rules in R77.x either as far as I know.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-18 03:15 PM

Looks like the new home for the dynobj code is: https://github.com/CheckPointSW/dynobj
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events