Tuesday, December 29, 2020

Checkpoint Updatable Objects vs Domain Objects vs Dynamic Objects



 


Updatable Objects

An updatable object is a network object that represents an external service, such as Office 365, AWS, GEO locations. For each location, there is a network object you can import to SmartConsole. 

To add the Microsoft Exchange Updatable Object to the Security Gateway

  1. Make sure the Security Management Server and the Security Gateway have access to the Check Point cloud.

  2. Go to SmartConsole > Security Policies > Access Control > Policy.

  3. Create a new rule.

  4. In the Destination column, click the + sign and select Import > Updatable Objects.

    The Updatable Objects window opens.

  5. Select the objects to add. For this use case, select the Exchange Services object.


Domain Objects

A Domain Object allows you to specify a domain name for matching in the rule base. It can be used in Source and Destination columns of Access Policy.

How to Create Domain Object in R8x?

  1. Right-click on Network Objects on the right hand side object panel

  2. Navigate to more -> Domain

  3. Now you have 2 different modes to create Domain Objetcs: FQDN mode and Non-FQDN mode. 

FQDN mode

When FQDN mode is selected, only traffic to the exact domain will be matched on the rule using the FQDN domain object.

Non-FQDN mode

When FQDN mode is unchecked, traffic to the domain and its sub-domains (up to 10 levels) will be matched on the rule using the non-FQDN Domain object.


Dynamic Objects

Easily confused with updatable and domain objects. This construct enables objects to resolve to different ip addresses based on the gateway they are installed on. So a common object name in the rule base installed on multiple gateways, can resolve to different ip ranges.


Next post. cli tools to examine ip addresses in play



 



No comments: