Support Center > Search Results > SecureKnowledge Details
Configuring Dynamic Objects
Solution

A Dynamic Object is a "logical" object that will be resolved to an IP address differently on each Security Gateway using the dynamic_objects command. A rule that uses this Dynamic Object will then be enforced on each Security Gateway on different objects.

Notes:

  • The dynamic_objects command is run in Expert mode and only on the Security Gateway. Refer to R77 Versions Command Line Interface Reference Guide - "Security Management Server and Firewall Commands" - "dynamic_objects". The Dynamic Objects configured on Security Gateway are stored in the Dynamic Objects database (ASCII file) - $FWDIR/database/dynamic_objects.db
  • In Small Office appliances, starting from R77.20.60 firmware, undefined dynamic objects are treated as empty lists and do not cause traffic to be dropped. 

 

Run the dynamic_objects -l command on Security Gateway to list the Dynamic Objects and their associated ranges of IP addresses.


Examples:

In this example, "bigserver" is created as a dynamic object, with an IP address range of 192.168.1.1 to 192.168.1.40, on each Security Gateway that this command is executed on.

  • The command: 

    [Expert@GW]# dynamic_objects -n bigserver -r 192.168.1.1 192.168.1.40 -a

    creates a new dynamic object named "bigserver" with an IP address range 192.168.1.1-192.168.1.40.

  • The command: 

    [Expert@GW]# dynamic_objects -o bigserver -r 192.168.1.1 192.168.1.40 -a

    adds the IP address range 192.168.1.1-192.168.1.40 to the previously created dynamic object "bigserver".

  • The command: 

    [Expert@GW]# dynamic_objects -o bigserver -r 192.168.1.1 192.168.1.40 -d

    deletes the IP address range 192.168.1.1-192.168.1.40 from the dynamic object "bigserver".

 

Problems: (Not relevant for R80.x)

Improperly configured dynamic objects, or dynamic objects without local definitions, can cause the below problems:

  • No drop logs are seen in SmartView Tracker.

  • Kernel debug shows that Security Gateway is dropping packets on rule containing dynamic objects (rule 103 in this case) even though, there is another rule below this one that allows this traffic:

    [vs_2];[tid_0];[fw4_0];fwconn_lookup: conn <dir 0, W.X.Y.Z:48020 -> A.B.C.D:3101 IPP 6>;
    [vs_2];[tid_0];[fw4_0];fw_handle_first_packet: Rulebase returned VANISH;
    [vs_2];[tid_0];[fw4_0];fw_handle_first_packet: match on rule 103;
    W.X.Y.Z:48020 -> A.B.C.D:3101 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 103;
    [vs_2];[tid_0];[fw4_0];VM Final action=VANISH;
  • Output of dynamic_objects -l command on the Security Gateway does not show any configuration

For additional information, refer to Command Line Interface Reference Guide (R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77) - Chapter 'Security Management Server and Firewall Commands' - dynamic_objects.

Applies To:
  • This article replaces sk106088 , sk34331

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment