https://community.checkpoint.com/t5/Firewall-and-Security-Management/Using-external-DNS-security-services-with-Checkpoint-firewall/m-p/149281#M23914 <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk131852&amp;partition=Basic&amp;product=Quantum" target="_self">sk131852</A> makes note when using updatable objects that:</P><P><EM>“To work well, the DNS set on the gateways must be the same as that used by the endpoints. Otherwise, the IP-domain mapping will not match.”</EM></P><P>We can confirm when the Checkpoint gateways are on different DNS from the endpoints, use of updatable objects can break.</P><P>In our environment all endpoints point to a service like Cisco Umbrella. The Checkpoint gateways points to the ISP DNS.</P><P>We had concerns about pointing the gateways to a DNS security service because:</P><UL><LI>Some bad traffic resolves will return the DNS service sinkhole and potentially mask an issue.</LI><LI>The DNS service will have reporting, but backtracking will be painful.</LI><LI>Might this break the Anti-bot blade and alerts in some cases.</LI><LI>Can this impact other Checkpoint services?</LI></UL><P>We know updatable objects can break if the gateways and endpoints are not resolving to the same source. What can break if they are (and the source is a DNS security service like OpenDNS)?</P> Mon, 23 May 2022 18:19:53 GMT MartinZ 2022-05-23T18:19:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Using-external-DNS-security-services-with-Checkpoint-firewall/m-p/149281#M23914 <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk131852&amp;partition=Basic&amp;product=Quantum" target="_self">sk131852</A> makes note when using updatable objects that:</P><P><EM>“To work well, the DNS set on the gateways must be the same as that used by the endpoints. Otherwise, the IP-domain mapping will not match.”</EM></P><P>We can confirm when the Checkpoint gateways are on different DNS from the endpoints, use of updatable objects can break.</P><P>In our environment all endpoints point to a service like Cisco Umbrella. The Checkpoint gateways points to the ISP DNS.</P><P>We had concerns about pointing the gateways to a DNS security service because:</P><UL><LI>Some bad traffic resolves will return the DNS service sinkhole and potentially mask an issue.</LI><LI>The DNS service will have reporting, but backtracking will be painful.</LI><LI>Might this break the Anti-bot blade and alerts in some cases.</LI><LI>Can this impact other Checkpoint services?</LI></UL><P>We know updatable objects can break if the gateways and endpoints are not resolving to the same source. What can break if they are (and the source is a DNS security service like OpenDNS)?</P> Mon, 23 May 2022 18:19:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Using-external-DNS-security-services-with-Checkpoint-firewall/m-p/149281#M23914 MartinZ 2022-05-23T18:19:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Using-external-DNS-security-services-with-Checkpoint-firewall/m-p/149283#M23915 <P>Hey,</P><P>&nbsp;</P><P>On our whole environment we use Umbrella DNS and we didn't had any issues with CheckPoint FQDN objects.</P><P>Whatever Umbrella DNS doesn't catch, CheckPoint will do.</P><P>Still CheckPoint will see the DNS requests if the GW is in path for all clients - not sure how you are set.</P><P>&nbsp;</P><P>Thank you,</P> Mon, 23 May 2022 20:36:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Using-external-DNS-security-services-with-Checkpoint-firewall/m-p/149283#M23915 Sorin_Gogean 2022-05-23T20:36:11Z