https://community.checkpoint.com/t5/Firewall-and-Security-Management/Troubleshooting-the-FQDN-Domain-Object/m-p/224502#M43137 <P>Unless your clients are using the exact same DNS servers as as the gateway, this issue is bound to occur.<BR />See also:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk161612" target="_blank">https://support.checkpoint.com/results/sk/sk161612</A></P> Mon, 26 Aug 2024 13:16:12 GMT PhoneBoy 2024-08-26T13:16:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Troubleshooting-the-FQDN-Domain-Object/m-p/224444#M43131 <P>Hello, had a quick issue today.&nbsp; We had traffic failing to match a rule where the destination object used in the rule was a FQDN Domain Object.</P><P>The reason for using a Domain Object here is that the destination is an Azure SQL Database using Public Endpoint, where the IP Address will change frequently.&nbsp; By using the Domain Object, we're able to permit the traffic no matter if the Public IP randomly changes or not.&nbsp; This is great, when it works.</P><P>When the traffic was not matching, we had to create a single IP Address/Host object to allow it as a work-around.&nbsp; Usually the traffic for this flow hits a different gateway cluster of ours, but due to some failover testing, the traffic was hitting a new gateway cluster.&nbsp; However, on this other cluster, we still have the same rule installed.</P><P>Now that the work around was in place I wanted to understand better what went wrong, so after doing some searching I found the command to troubleshoot domain objects is domains_tool (sk161632) and I proceed to log into the security gateway in question and using the domains_tool -d command for the FQDN in the object.&nbsp; The returned output was indeed "Domain is not attached to any IP Address."</P><P>I then tried to just ping the FQDN from the gateway, and it resolved to the expected IP address.&nbsp; Now when i ran the domains_tool -d command again right after doing the ping, now it is showing it bound to the expect IP Address?</P><P>Not sure if this is a job for TAC, or is any other simple troubleshooting we can do?&nbsp; I did confirm through logs that the domain resolved to 3 different IP Addresses in an hour, so maybe that threw things off a bit?</P> Sun, 25 Aug 2024 16:46:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Troubleshooting-the-FQDN-Domain-Object/m-p/224444#M43131 Cypress 2024-08-25T16:46:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Troubleshooting-the-FQDN-Domain-Object/m-p/224502#M43137 <P>Unless your clients are using the exact same DNS servers as as the gateway, this issue is bound to occur.<BR />See also:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk161612" target="_blank">https://support.checkpoint.com/results/sk/sk161612</A></P> Mon, 26 Aug 2024 13:16:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Troubleshooting-the-FQDN-Domain-Object/m-p/224502#M43137 PhoneBoy 2024-08-26T13:16:12Z