Support Center > Search Results > SecureKnowledge Details
Configuring Dynamic Objects Technical Level

A Dynamic Object is a "logical" object that is resolved to an IP address differently on each Security Gateway using the dynamic_objects command. A rule that uses this Dynamic Object is then enforced on each Security Gateway on different objects.


  • The dynamic_objects command is run in Expert mode and only on the Security Gateway. Refer to R77 Versions Command Line Interface Reference Guide - "Security Management Server and Firewall Commands" - "dynamic_objects". The Dynamic Objects database (ASCII file) contains the Dynamic Objects configured on the Security Gateway - $FWDIR/database/dynamic_objects.db
  • In Small Office appliances, starting from R77.20.60 firmware, undefined dynamic objects are treated as empty lists and do not cause traffic to be dropped. 


To list the Dynamic Objects and their associated ranges of IP addresses, run the dynamic_objects -l command on Security Gateway 


In this example, users create "bigserver" as a dynamic object, with an IP address range of to, on each Security Gateway that this command is executed on.

  • The command: 

    [Expert@GW]# dynamic_objects -n bigserver -r -a

    creates a new dynamic object named "bigserver" with an IP address range

  • The command: 

    [Expert@GW]# dynamic_objects -o bigserver -r -a

    adds the IP address range to the previously created dynamic object "bigserver".

  • The command: 

    [Expert@GW]# dynamic_objects -o bigserver -r -d

    deletes the IP address range from the dynamic object "bigserver".


Problems: (Not relevant for R80.x)

Improperly configured dynamic objects, or dynamic objects without local definitions, can cause these problems:

  • SmartView Tracker shows no drop logs.

  • Kernel debug shows that the Security Gateway is dropping packets on rule containing dynamic objects (rule 103 in this case) even though there is another rule below that allows this traffic:

    [vs_2];[tid_0];[fw4_0];fwconn_lookup: conn <dir 0, W.X.Y.Z:48020 -> A.B.C.D:3101 IPP 6>;
    [vs_2];[tid_0];[fw4_0];fw_handle_first_packet: Rulebase returned VANISH;
    [vs_2];[tid_0];[fw4_0];fw_handle_first_packet: match on rule 103;
    W.X.Y.Z:48020 -> A.B.C.D:3101 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 103;
    [vs_2];[tid_0];[fw4_0];VM Final action=VANISH;
  • Output of dynamic_objects -l command on the Security Gateway does not show any configuration

For additional information, refer to Command Line Interface Reference Guide (R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77 - Chapter 'Security Gateway Commands' - dynamic_objects, R80.20, R80.30, R80.40, R81, R81.10).

Applies To:
  • This article replaces sk106088 , sk34331

Give us Feedback
Please rate this document