Checkpoint, Dynamic WAN & PAT

Okey, this might not be your everyday problem… most company running checkpoint software do have static IPs on there WAN link, but for the sake of argument, and trying to play with some new firewall software and the process of getting certified for the CCSA I’m stuck with a dynamic IP on my WAN link, and I want Port-network-translation.

Since checkpoint is not using ingress egress, but everything is just “floating” around, just for this matter, that makes it a bit harder, but after googling and having some fun reading documentation I found my answer… Dynamic Objects! 🙂

Create a new dynamic object in smartDashboard, and assign it to a policy and NAT rule.

My Dynamic Object


My NAT rule
NATMy Policy Rule


Then on the security gateway, you run the following cmd in expert mode.
where $WANIP is your dynamic IP.

dynamic_objects -n WANIP -r $WANIP $WANIP -a > /dev/null

But hey, if its dynamic can’t it change? Yes it can….. But since the new Checkpoint R77 with GAiA is just a nice linux distro, you can check this on regularly phase with a cronjob, so for the sake of playing nice, here is my 5-minutt bash script that will do the job!

Usage: ./script interface object_name
Eg: ./script eth0 WANIP


if [ -z $int ] || [ -z $obj ] ; then
echo “You need spesificy interface and object…”
echo “Usage: $0 “NIC” “Object Name””
exit 0

NEWIP=`ifconfig $int| awk ‘/inet addr/{print substr($2,6)}’`
OLDIP=`dynamic_objects -l|grep $obj -A 2|grep range| awk -F” ” ‘{ print $4 }’`

## Die if no valid ip is found on interface
if [ -z $NEWIP ] ; then
echo “No valid ip found on interface… quiting..”
exit 0

## Dynamic object not found, will create it
if [ -z $OLDIP ] ; then
dynamic_objects -n $obj -r $NEWIP $NEWIP -a > /dev/null

## New ip detected, let’s change the object
if [ “$NEWIP” != “$OLDIP” ] ; then
echo “Change IP…”
dynamic_objects -do $obj > /dev/null
dynamic_objects -n $obj -r $NEWIP $NEWIP -a > /dev/null
echo “Nothing changed…..”

Leave a Comments