Friday, 8 February 2013

Check Point dynamic object for DNS

Although Check Point use domain objects for resolving DNS entries to IP addresses in the rulebase - the documentation recommends not to use them for various good reasons. I've written a simple script to make use of Check Points rarely used dynamic objects. The script pings a host by DNS, takes the IP address then updates a dynamic object you can then use in your firewall policy. Add this to a cronjob and then you can have a dynamic dynamic object(!?).
Download here

#!/bin/bash -f
#Dynamic Object update script -
#Stuart Green - 08/02/2013
# This script will create and subsequently update a Check Point dynamic
# object which can be used in the rulebase in place of a domain object which is
# known to be unreliable and resource intensive. The script should be placed in
# a crontab and run at the interval you choose.
# DNS needs to be configured on your gateway.
# ICMP and DNS need to be allowed outbound from your gateway / cluster object.
# Tested on R75.40 SecurePlatform and Gaia - should be fine with other versions.
# Copy this script somewhere on your firewall.
# Edit the value of CDIR in this script to be the value of $CPDIR from your 
# shell. Eg, the value you get when you run 'echo $CPDIR'.
# Edit the value of DNSNAME to be the domain you want to resolve to an IP.
# Edit the value of CPOBJECT to represent a UNIQUE Check Point dynamic object.
# Add a cronjob to execute the script at your desired time interval (~10min).
# run 'crontab -e' to edit your crontab
# paste in the following line (minus quotes) to run the script every 10 minutes: 
# '10 * * * * /home/admin/'
# Create a dynamic object in your policy with the EXACT same name as CPOBJECT.
# Use the object where required.
# If you need multiple dynamic objects, you can copy the script with a 
# different name, modify the values of DNSNAME and CPOBJECT then add the new
# script to a new cronjob.
# Domains that return multiple IPs will only update the dynamic object with the
# FIRST IP address!
source $CDIR/tmp/
IP=$(/bin/ping -c1 $DNSNAME | /bin/egrep -oh -m1 "([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})")
$FWDIR/bin/dynamic_objects -do $CPOBJECT > /dev/null 2>&1
$FWDIR/bin/dynamic_objects -n $CPOBJECT > /dev/null 2>&1
$FWDIR/bin/dynamic_objects -o $CPOBJECT -r $IP $IP -a > /dev/null 2>&1
if [[ $EXIT_STATUS -eq 0 ]]; then
  echo "Dynamic object $CPOBJECT updated. $DNSNAME resolves to $IP" >> /var/log/messages
if [[ $EXIT_STATUS -ne 0 ]]; then
  echo "Dynamic object $CPOBJECT not updated successfully" >> /var/log/messages


  1. This helps so much, thanks! And thanks for not just sharing the code but giving us a download as well :)

    Fred |