https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190246#M35100 <P>Hi..</P><P>yes, the policy already installed. Also i have another checkpoint and i do test by issuing '<SPAN>domain_tool -d&nbsp;</SPAN><A href="http://www.detik.com/" target="_blank" rel="nofollow noopener noreferrer">www.detik.com'</A></P><P><SPAN>and this checkpoint showing ip address of detik.com but not for my 1st checkpoint.</SPAN></P> Wed, 23 Aug 2023 07:13:22 GMT handiansudianto 2023-08-23T07:13:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190081#M35062 <P>Hello,</P><P>&nbsp;</P><P>I make a test rule to allowing one server access to ww.detik.com, i create domain object with .detik.com</P><P>But i think the domain object is not working, the server still can't access to the <A href="http://www.detik.com," target="_blank" rel="noopener">www.detik.com,</A>&nbsp;tick and untick the FQDN on the domain object not helping.&nbsp;</P><P>Anyone know how about this?</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Tue, 22 Aug 2023 08:30:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190081#M35062 handiansudianto 2023-08-22T08:30:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190082#M35063 <P>As you do not show the rule created and the object in detail it is very hard to help here. Did you follow <A href="https://support.checkpoint.com/results/sk/sk120633" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk120633</A> ? Also read <A href="https://support.checkpoint.com/results/sk/sk90401" target="_blank">https://support.checkpoint.com/results/sk/sk90401</A></P> Tue, 22 Aug 2023 08:45:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190082#M35063 G_W_Albrecht 2023-08-22T08:45:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190093#M35064 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21294">@G_W_Albrecht</a>&nbsp;</P><P>&nbsp;</P><P>yes l already follow the reference article, and here i send my rule</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="cp1.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22159i5FE86F4CCEBC6B02/image-size/large?v=v2&amp;px=999" role="button" title="cp1.JPG" alt="cp1.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Ticked or not the rule is not working</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="cp2.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22160iC10B26AE16DC9A89/image-size/medium?v=v2&amp;px=400" role="button" title="cp2.JPG" alt="cp2.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Result :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="CP3.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22161iCA5540B3120DFA09/image-size/medium?v=v2&amp;px=400" role="button" title="CP3.JPG" alt="CP3.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="cp4.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22162iB93ABE6CA6A4EB2B/image-size/medium?v=v2&amp;px=400" role="button" title="cp4.JPG" alt="cp4.JPG" /></span></P> Tue, 22 Aug 2023 09:01:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190093#M35064 handiansudianto 2023-08-22T09:01:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190094#M35065 <P>And which rule does match and drop the traffic, cleanup rule ? Why do you use Any service for the rule ?</P> Tue, 22 Aug 2023 09:16:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190094#M35065 G_W_Albrecht 2023-08-22T09:16:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190145#M35077 <P>Non-FQDN objects require the ability to reverse-resolve the IP address to the relevant domain.<BR />FQDN objects require a forward lookup on the relevant FQDN.<BR />Have you confirmed the gateway can actually do this?<BR />See also:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk161632" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk161632</A>&nbsp;(to troubleshoot)<BR />Maybe also see if the following will help:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk161612" target="_blank">https://support.checkpoint.com/results/sk/sk161612</A>&nbsp;</P> Tue, 22 Aug 2023 13:40:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190145#M35077 PhoneBoy 2023-08-22T13:40:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190210#M35093 <P>Yes the traffic dropped by cleanup rule. Since i only need the server access to some websites so i set the service as 'Any'.</P><P>It's wrong?</P> Wed, 23 Aug 2023 00:39:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190210#M35093 handiansudianto 2023-08-23T00:39:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190213#M35094 <P>Hello,</P><P>Yes the gateway can do forward lookup.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cp5.JPG" style="width: 823px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22173i6B436E10D1138BBE/image-size/large?v=v2&amp;px=999" role="button" title="cp5.JPG" alt="cp5.JPG" /></span></P><P>When issuing command domain_tool -d <A href="http://www.detik.com" target="_blank">www.detik.com</A>&nbsp;i got 'Domain is not attached to any IP address'</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cp6.JPG" style="width: 464px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22174i95EC3B86D9847732/image-size/large?v=v2&amp;px=999" role="button" title="cp6.JPG" alt="cp6.JPG" /></span></P> Wed, 23 Aug 2023 00:44:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190213#M35094 handiansudianto 2023-08-23T00:44:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190244#M35099 <P>Is the source IP of the server also correct?<BR />Recent policy install was done too? - Can check with "fw stat" on gateway.</P> Wed, 23 Aug 2023 07:09:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190244#M35099 Daniel_3 2023-08-23T07:09:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190246#M35100 <P>Hi..</P><P>yes, the policy already installed. Also i have another checkpoint and i do test by issuing '<SPAN>domain_tool -d&nbsp;</SPAN><A href="http://www.detik.com/" target="_blank" rel="nofollow noopener noreferrer">www.detik.com'</A></P><P><SPAN>and this checkpoint showing ip address of detik.com but not for my 1st checkpoint.</SPAN></P> Wed, 23 Aug 2023 07:13:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190246#M35100 handiansudianto 2023-08-23T07:13:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190251#M35103 <P>Did you already try '<SPAN>domains_tool -report' from&nbsp;sk161632?</SPAN></P> Wed, 23 Aug 2023 08:07:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190251#M35103 Daniel_3 2023-08-23T08:07:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190252#M35104 <P>i got 'WSDNSD and DNS servers are not synchronized' when issuing&nbsp;<SPAN>'</SPAN><SPAN>domains_tool -report'</SPAN></P><P>This can be fixed by command below right? Will this command cause a downtime?</P><P>cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "fw kill wsdnsd";<SPAN>&nbsp;</SPAN>cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd"</P> Wed, 23 Aug 2023 08:12:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190252#M35104 handiansudianto 2023-08-23T08:12:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190256#M35107 <P>Restart of WSDNSD only impacts DNS resolution of the firewall itself and no other traffic. If you have multiple domain-objects and updatable objects I would do it outside of business hours (except if all of them don't work, then it does not matter).</P><P>If it is just this one domain you can do it any time.</P> Wed, 23 Aug 2023 09:25:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190256#M35107 Daniel_3 2023-08-23T09:25:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190370#M35128 <P>Recommend engaging with the TAC here: <A href="https://help.checkpoint.com" target="_self">https://help.checkpoint.com</A></P> Wed, 23 Aug 2023 19:17:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190370#M35128 PhoneBoy 2023-08-23T19:17:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190410#M35142 <P>After restarting the WSDNSD now the domain object is working, but i still have a question about object domain.</P><P>I want to make domain object for this URL</P><P>ussus1eastprod.blob.core.windows.net<BR />ussus2eastprod.blob.core.windows.net<BR />ussus3eastprod.blob.core.windows.net<BR />ussus4eastprod.blob.core.windows.net<BR />wsus1eastprod.blob.core.windows.net<BR />wsus2eastprod.blob.core.windows.net</P><P>and i make domain object with name .blob.core.windows.net and FQDN not ticked. On my mind domain object .blob.core.windows.net can discover all URL above but when i check with command domains_tool -d&nbsp;blob.core.windows.net and i just only get one ip address. Did you know why?</P><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P> Thu, 24 Aug 2023 01:09:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190410#M35142 handiansudianto 2023-08-24T01:09:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190514#M35163 <P>Because Domain Objects that aren't FQDN rely on reverse DNS to operate.<BR />When I look up the IP I get for, e.g.&nbsp;<SPAN>wsus2eastprod.blob.core.windows.net, I get an NXDOMAIN (no record found) for the IP that it resolves to.<BR />Recommend doing this with either a Custom Application/Site or put these hosts in a Network Feed in R81.20+.</SPAN></P> Thu, 24 Aug 2023 22:01:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Domain-Object/m-p/190514#M35163 PhoneBoy 2023-08-24T22:01:47Z