topic Re: Domain Name based rule doesn't work in Firewall and Security Management

Domain Name based rule doesn't work

Exonix — Tue, 26 Jul 2022 14:51:38 GMT

Hello everyone,

there are serveral gateways 80.40. I've configured some policies with Domain Names. Almost on all FW it works, but doesn't work on one Gateway. It is resolved by gateway, but does not pass through the FW. What is wrong and how to fix it? Thank you!

Re: Domain Name based rule doesn't work

PhoneBoy — Tue, 26 Jul 2022 15:42:53 GMT

Tick the FQDN box on that object.
Otherwise, it's a classic Domain object, which actually requires reverse DNS resolution of the IP address(es) in question.
Those IP addresses do not have a reverse DNS entry, at least as far as I know.

Re: Domain Name based rule doesn't work

Chris_Atkinson — Tue, 26 Jul 2022 15:51:58 GMT

Further to @PhoneBoy suggestion are all gateways running the same JHF level, are the clients also using the same DNS as the gateway?

Re: Domain Name based rule doesn't work

Exonix — Tue, 26 Jul 2022 16:39:02 GMT

Hello @PhoneBoy

thank you for your answer. It did help, but only for some names:

Test-NetConnection -ComputerName mscrl.microsoft.com -port 80
ComputerName : mscrl.microsoft.com
RemoteAddress : 152.199.19.160
RemotePort : 80
InterfaceAlias : Ethernet0
SourceAddress : 192.168.30.4
TcpTestSucceeded : True

But here is still doesn't work:

Test-NetConnection -ComputerName crl.microsoft.com -port 80
WARNING: TCP connect to (87.123.248.82 : 80) failed
WARNING: TCP connect to (87.123.248.32 : 80) failed
WARNING: Ping to 87.123.248.82 failed with status: TimedOut
WARNING: Ping to 87.123.248.32 failed with status: TimedOut

ComputerName : crl.microsoft.com
RemoteAddress : 87.123.248.82
RemotePort : 80
InterfaceAlias : Ethernet0
SourceAddress : 192.168.30.4
PingSucceeded : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False

from my home PC it works:

Test-NetConnection -ComputerName crl.microsoft.com -port 80
ComputerName : crl.microsoft.com
RemoteAddress : 89.27.241.11
RemotePort : 80
InterfaceAlias : Ethernet
SourceAddress : 192.168.178.112
TcpTestSucceeded : True

Re: Domain Name based rule doesn't work

Exonix — Tue, 26 Jul 2022 16:41:23 GMT

Hello @Chris_Atkinson ,

thank you for your answer. Yes, all gateways are the same. We have updated them recently.

No, the clients and gateways are using different DNS, but this isn't a problem for the other gateways

Re: Domain Name based rule doesn't work

PhoneBoy — Tue, 26 Jul 2022 18:25:48 GMT

These objects only work properly if the DNS servers used by the clients and gateway produce the exact same results.
The easiest way to ensure this is to have the gateways and clients use the same DNS resolver.

Re: Domain Name based rule doesn't work

Rafal_N — Wed, 27 Jul 2022 14:29:41 GMT

Have You been trying Updateable objects?? From my experience it works much more deterministic then working with DomainName object for MS.

Also you can list or check what domain or what ip object is included using domains_tool:

Re: Domain Name based rule doesn't work

Exonix — Thu, 04 Aug 2022 14:58:40 GMT

thank you! this is the easiest way!