topic Re: Domain object FQDN not matching properly in Firewall and Security Management

Domain object FQDN not matching properly

nemezis_rock — Tue, 15 Aug 2023 20:03:18 GMT

Hi dears,

R81.10 JHT 109

A month ago I was testing Reverse Proxy usage. And it worked great with Access Policy.

My test Reverse Proxy rules were like this:

rule1 | https://test1.domain.example/ -> http://192.168.10.10/
rule2 | https://test2.domain.example/ -> http://192.168.20.20/

Test Security Access Rules were:

AccRule1
Source: ExternalIP1
Dst: .test1.domain.example (Domain Object FQDN)
Service: HTTPS
Action: Accept

AccRule2
Source: ExternalIP2
Dst: .test2.domain.example (Domain Object FQDN)
Service: HTTPS
Action: Accept

And it worked fine that time! ExternalIP1 was accessing .test1.domain.example and couldnt access to .test2.domain.example. All other external requests to my domain were dropping by cleanup rule.

But now Firewall stopped matching FQDNs. When ExternalIP1 is connecting to .test2.domain.example it passess traffic via AccRule1 and according to Logs destination shown as .test1.domain.example. It is not resolving FQDN.

Any suggestions?

Thanks in advance.

Re: Domain object FQDN not matching properly

PhoneBoy — Tue, 15 Aug 2023 21:56:58 GMT

Have you done any troubleshooting with the domains tool?
See: https://support.checkpoint.com/results/sk/sk161632

Re: Domain object FQDN not matching properly

nemezis_rock — Tue, 15 Aug 2023 22:32:02 GMT

Hi,

Domain Object is resolving fine.

domains_tool -report - gave just Undefined DNS servers found.

The issue is that Firewall blade matching FQDN of second.domain.example as first.domain.example. It sees not as second.domain but as first.domain.example - in Logs. First Access Rule contains first.domain.example. And even if there is no access rule for the second.domain.example but Reverse Proxy rule exists, request to second domain passess Firewall as Dst:first.domain.example and then goes to RProxy rule)

So I am a bit confused. It was working fine while testing. But now it just wont.

Look at the screenshot:

Access rule has only one service (8001) that's hidden behind RProxy and first FQDN but it forwards it to two services (8001 and 8003) because the second FQDN recognized as first and passed to PRoxy rule for 8003 service.

Re: Domain object FQDN not matching properly

PhoneBoy — Wed, 16 Aug 2023 15:58:45 GMT

When you say Reverse Proxy, you mean this functionality?
https://support.checkpoint.com/results/sk/sk110348

Regardless, you’ll probably need to consult with the TAC on this: https://help.checkpoint.com

Re: Domain object FQDN not matching properly

nemezis_rock — Thu, 17 Aug 2023 05:42:32 GMT

I've opened ticket, thanks.

Maybe it is a bug.

I will share if CP team will give me the solution.

Re: Domain object FQDN not matching properly

Wolfgang — Thu, 17 Aug 2023 06:28:16 GMT

@nemezis_rock this looks like a follow up of your formerly post https://community.checkpoint.com/t5/Security-Gateways/Implied-Rules-accepting-HTTP-HTTPS-traffic-How-to-disable-that/m-p/186974#M34401 Please have a look at my last comment.

Does test2.domain.example and test1.domain.example resolve via DNS to the same IP address ? (Should be, because you want to forward these via Reverseproxy)

If yes, you see expected behaviour, because the gateways handles the rule with an domain-object with the DNS resolved IP address and not the FQDN or URL.

Re: Domain object FQDN not matching properly

nemezis_rock — Thu, 17 Aug 2023 09:36:09 GMT

The point is that it was working fine while testing.

Firewall blade saw two FQDNs perfectly. I've created two domain objects pointed to the same GW-Extrernal address.

I found Logs especially for you)

Two separate external sources - .199 and .66. Look on the Access Rule number. One source goes through rule 5 and another through rule 4.

And here are logs which shows that fqdns is matching perfectly. Firewall blade sees every FQDN:

Now you see that Firewall Blade saw every FQDN (test123 and asdasd) perfectly even if they were pointed to the same IP .30.

That is my problem. Firewall Blade forgot how to do it)

By your logic, logs must show only one fqdn, and acces only via one rule. That is happening now. But back then... So i think we have to remind Firewall how to do it.

Re: Domain object FQDN not matching properly

the_rock — Thu, 17 Aug 2023 12:41:50 GMT

I read all your responses and they all seem 100% logical to me. Let us know what TAC says.

Andy

Re: Domain object FQDN not matching properly

Wolfgang — Thu, 17 Aug 2023 13:53:42 GMT

@nemezis_rock I think the different log entries are an result of the name resolution in SmartDashboard or/and logserver.

But again, if both FQDNs points to the same IP address I'm pretty sure you can't achieve this way what you want.