Starting from version R81, the Generic Data Center feature provides the ability to enforce access to/from IP addresses defined in JSON files located in external web servers or locally on the Security Management machine. The Generic Data Center objects are updated automatically on the Security Gateway each time the JSON file change. There is no need to install policy for the updates to take effect. Objects created based on these files can be used as a source, or a destination in the following policies: Access Control policy, NAT policy, Threat Prevention policy, HTTPS Inspection policy.
- This feature is only supported for R81 Security Gateways.
- Generic Data Center objects are not supported in group objects.
- Both IPv4 and IPv6 addresses are supported.
To create a new Generic Data Center you have 2 options:
On the creation window:
- Click the '+' button under the Source/Destination column, choose import 'Data Centers', and then choose 'New Data Center' and click on 'Generic Data Center...' (as shown below):
- Via the 'Objects' pane, choose 'More objects types' and then 'Cloud' --> 'Data Center' and click on 'New Generic Data Center...' (as shown below):
- Enter the URL for the JSON feed (in case of local path you should enter the full path starting with '/'). For example: https://example.com/file.json (remote feed), /tmp/file.json (local feed).
- Choose update interval in seconds, this interval will define the time between JSON feed scans (default is set to 60 seconds and minimum value is 10 seconds).
- In case you wish to have a privilege credentials for your server you can add a 'Custom Header' and assign to it key and value.
To check connectivity to the given URL click on 'Test Connection'. For HTTPS connections you will get the server's certificate and only if you choose to trust it the feed will be connected. On the import window:
You have 2 types of Generic Data: Generic Data Object, Generic Data Folder.
Each Generic Data Object represents one of the objects in the JSON file.
Generic Data Folder represents all JSON objects from the JSON file and its name derived from the Data Center object name (UI name).
To select objects from the import window, click the '+' to the right. To import objects from an existing Generic Data Center:
- Click the '+' button under the Source/Destination column.
- Select import 'Data Centers', and then select the name of the existing Generic Data Center.
- The import window opens. Add the objects with the '+' button.
JSON File Structure
Here is an example for JSON file structure:
"description": "Generic Data Center file example",
"name": "Object A name",
"description": "Example for IPv4 addresses",
"name": "Object B name",
"description": "Example for IPv6 addresses",
- Currently, only version 1.0 is supported.
- The "id" field should be a unique UID.
- Mandatory fields: "version", "objects", "name", "id", "ranges".
Step by Step Example - Create new rule with Generic Data Center
The JSON file can be located Remotely on a remote server or Locally on the MGMT machine.
Here we have a JSON file called GenericDC.json. The below example shows how to configure it in case it is located Remotely under remote server path - http://172.16.4.191/CheckPoint/GenericDC.json or Locally under /tmp/GenericDC.json.
On the creation window, we will give the name 'CheckPoint' to our object, enter the URL and click on 'Test Connection':
Then our next step is to create a new rule and to block all destinations to 'Boston-financial-lab'. First click the '+' button in the new rule under the destination column and import the Generic Data Center object we created before (as shown below):
The import window opens. Click the '+' button on the left to the 'Boston-financial-lab' object (as shown below):
Our rule is ready (as shown below):
All we need now is to perform Install Policy and all changes made to 'Boston-financial-lab' object under the JSON file are updated automatically without policy installation.Relation between JSON file and Import windo
- "names" fields will be under the column 'Name'.
- "id" fields will be under the column 'ID'.
- "description" fields will be under the column 'Description'.
- "ranges" field will be under the column 'Content'.
- 'URL' column will contain the URL feed.
- Policy Installation failed when maximum number dynamic objects was reached (The default value is 5000): refer to sk167576.
- We recommend that you avoid more than 30,000 changes per update as it will affect user experience.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.