topic Re: Allow a star dot domain in Firewall and Security Management

Allow a star dot domain

Cypress — Fri, 17 May 2024 01:19:54 GMT

Quick question, what is the best way to allow a *.domain in Check Point? I know you can create a Domain Object, and if you check the box for FQDN mode, then the gateway queries the FQDN hostname you enter for the object, and whatever IP Addresses it returns, it caches those and treats traffic to/from those IPs as matching the Domain Object. If you leave FQN unchecked, you can enter a whole domain, but what the Gateway does is reverse lookup the IP Address of the traffic, and if the PTR record from the reverse lookup matches the domain name you specify in the object, then the traffic is treated as matching that object.

The problem with that is, most orgs don't populate PTR records. Also anything hosted in Azure, AWS, or other public clouds will usually have a PTR record associated with the cloud provider, and not of the customer domain.

In other words, using the Domain Object without FQDN toggled is not really a good way to allow a *.domain.

You can do a Custom Site URL list, but my understanding is this is used by the URL filtering blade, requires SSL inspection, and may not work in a security rule, such as "allow port 1234 to *.domain" as the customer is requesting.

What other best practices or recommendations exist to accomplish the above?

Re: Allow a star dot domain

the_rock — Fri, 17 May 2024 01:30:40 GMT

I made it work before without ssl inspection. Just make sure urlf blade is on, appc as well preferable, and enable url blade in policy layer editor. I always follow this logic...say you want to block anything tiktok, I just create custom app site and add *tiktok*

Install policy, test. Only downside is that obviously without ssl inspection, there is no further checking if page is blocked, plus block page is non-existant, which can confuse users.

Andy

Re: Allow a star dot domain

PhoneBoy — Fri, 17 May 2024 02:42:23 GMT

R81.20 and Network Feeds.
Make sure you can leverage Passive DNS learning also: https://support.checkpoint.com/results/sk/sk161612

Re: Allow a star dot domain

Bob_Zimmerman — Fri, 17 May 2024 13:51:03 GMT

Custom Application/Site objects do require the firewall have URL Filtering enabled, but they don't require HTTPS Inspection to be enabled. Instead, go to Manage & Settings > Blades > Application Control & URL Filtering > Advanced Settings > General > URL Filtering and make sure "Categorize HTTPS websites" is checked. That allows matching HTTPS connections without HTTPS Inspection.

From there, you just need to make an object to match the site. I spent some time about a year ago figuring out how Check Point's matching expressions work and posted my findings here.