Configuring Dynamic Objects

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	skI1915
Technical Level
Product	Quantum Security Gateways, ClusterXL, Cluster - 3rd-party, VSX, Quantum Spark Appliances
Version	R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS	Gaia
Platform / Model	All
Date Created	15-Mar-2001
Last Modified	21-Dec-2022

Solution

A Dynamic Object is a "logical" object that is resolved to an IP address differently on each Security Gateway using the dynamic_objects command. A rule that uses this Dynamic Object is then enforced on each Security Gateway on different objects.

Notes:

The dynamic_objects command is run in Expert mode and only on the Security Gateway. Refer to R77 Versions Command Line Interface Reference Guide - "Security Management Server and Firewall Commands" - "dynamic_objects". The Dynamic Objects database (ASCII file) contains the Dynamic Objects configured on the Security Gateway - $FWDIR/database/dynamic_objects.db
In Small Office appliances, starting from R77.20.60 firmware, undefined dynamic objects are treated as empty lists and do not cause traffic to be dropped.

To list the Dynamic Objects and their associated ranges of IP addresses, run the dynamic_objects -l command on Security Gateway

Examples:

In this example, users create "bigserver" as a dynamic object, with an IP address range of 192.168.1.1 to 192.168.1.40, on each Security Gateway that this command is executed on.

The command:

[Expert@GW]# dynamic_objects -n bigserver -r 192.168.1.1 192.168.1.40 -a

creates a new dynamic object named "bigserver" with an IP address range 192.168.1.1-192.168.1.40.
The command:

[Expert@GW]# dynamic_objects -o bigserver -r 192.168.1.1 192.168.1.40 -a

adds the IP address range 192.168.1.1-192.168.1.40 to the previously created dynamic object "bigserver".
The command:

[Expert@GW]# dynamic_objects -o bigserver -r 192.168.1.1 192.168.1.40 -d

deletes the IP address range 192.168.1.1-192.168.1.40 from the dynamic object "bigserver".

Problems: (Not relevant for R80.x)

Improperly configured dynamic objects, or dynamic objects without local definitions, can cause these problems:

SmartView Tracker shows no drop logs.

Kernel debug shows that the Security Gateway is dropping packets on rule containing dynamic objects (rule 103 in this case) even though there is another rule below that allows this traffic:

[vs_2];[tid_0];[fw4_0];fwconn_lookup: conn <dir 0, W.X.Y.Z:48020 -> A.B.C.D:3101 IPP 6>;
[vs_2];[tid_0];[fw4_0];fw_handle_first_packet: Rulebase returned VANISH;
[vs_2];[tid_0];[fw4_0];fw_handle_first_packet: match on rule 103;
W.X.Y.Z:48020 -> A.B.C.D:3101 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 103;
[vs_2];[tid_0];[fw4_0];VM Final action=VANISH;

Output of dynamic_objects -l command on the Security Gateway does not show any configuration

For additional information, refer to Command Line Interface Reference Guide (R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77 - Chapter 'Security Gateway Commands' - dynamic_objects, R80.20, R80.30, R80.40, R81, R81.10).

Applies To:

This article replaces sk106088 , sk34331

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating