topic Re: Domain based objects - what is the solution in Firewall and Security Management

Domain based objects - what is the solution

carl_t — Thu, 07 Apr 2022 13:53:50 GMT

Hi All

We are getting more and more requests for adding firewalls rules in that go to domains that use cdn's or go to multiple different ip's etc.

This is causing us a real pain.

What can we do about this? can we use dns based objects? I know this used to cause issues a long time ago, has Checkpoint now got a better solution for this?

how should I solve it?

many thanks

Re: Domain based objects - what is the solution

AaronCP — Thu, 07 Apr 2022 19:24:43 GMT

Hi @carl_t,

Are you already using Domain Objects (SK120633 ) in your rulebase? We are running R80.40 gateway & management with FQDN & non-FQDN domain objects in our rulebase and they work great.

Regardless of whether the domain resolves to one IP or multiple IPs, the gateway will allow the connection based on the IP of the DNS lookup from the domain objects.

Re: Domain based objects - what is the solution

Wolfgang — Thu, 07 Apr 2022 19:52:33 GMT

@carl_t Domain Objects are a really nice solution. But from my experience, never use none FQDN objects that‘s a real performance killer especially if you’re gateways are under attack. To check if a packet matches a rule with none FQDN object a reverse DNS request will be need. These slow down everything. I‘m surprised @AaronCP is happy with such a configuration.

There are a lot of additional objects to be used as dynamic sources or destinations. Have a look at @Kaspars_Zibarts nice presentation from CPX 360 Check Point “dynamic” Object Types & Typical Use Cases

Re: Domain based objects - what is the solution

the_rock — Thu, 07 Apr 2022 20:03:10 GMT

I agree with the guys. The sk @AaronCP provided you is really good reference. I also use those for another customer and they never had a problem.

Re: Domain based objects - what is the solution

AaronCP — Thu, 07 Apr 2022 21:10:57 GMT

Hi @Wolfgang,

We have very few non-FQDN domain objects in our firewall, but you're right, having a lot of them would impact performance.

Thanks for the dynamic objects info - very useful!

Re: Domain based objects - what is the solution

the_rock — Thu, 07 Apr 2022 21:29:24 GMT

From my experience, anything up to 200 is ok...more than that, could be a problem.

Re: Domain based objects - what is the solution

AaronCP — Thu, 07 Apr 2022 21:33:01 GMT

Thanks for the tip 🙂.

Is that non-FQDN you're referring to?

Re: Domain based objects - what is the solution

the_rock — Thu, 07 Apr 2022 21:48:33 GMT

For you, no charge :). And yes, thats what I was referring to!

Andy