topic Re: Amount of FQDN Domains in Firewall and Security Management

Amount of FQDN Domains

smorales31 — Mon, 31 Mar 2025 17:15:29 GMT

Hello,
I would like to know how many domains a Gateway supports, with more than 5,000 FQDN domains?

Re: Amount of FQDN Domains

PhoneBoy — Mon, 31 Mar 2025 17:39:03 GMT

In what capacity are you using FQDN Domains?
There's a couple different limits involved here:

How FDQN Objects are resolved: https://support.checkpoint.com/results/sk/sk90401
- There is a limit in the number of entries in the relevant tables
Number of objects supported: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RN/Content/Topics-RN/Maximum-Supported-Items.htm
Number of Network Feed objects (R81.20+, believe it is 500).

Depending on your exact use case, there may be ways to mitigate these limits.

Re: Amount of FQDN Domains

the_rock — Mon, 31 Mar 2025 17:46:17 GMT

Let us know if you find the official answer. Below is what AI shows : - )

Andy

In Check Point, you can define FQDN objects to match traffic to specific domains, with a limit of 100 FQDN objects and 1000 domains per account, and each FQDN object can contain a maximum of 1000 domains.

Here's a more detailed breakdown:

FQDN Object Limits:
A firewall supports a total of 100 FQDN objects.

FQDN objects can contain a maximum of 1000 domains per account.
Examples of FQDN Object Usage:
One FQDN object per rule, across 100 rules.

100 FQDN objects contained in a single rule.

Ten FQDN objects containing 100 domains each.

100 FQDN objects containing ten domains each.

Re: Amount of FQDN Domains

smorales31 — Mon, 31 Mar 2025 20:04:53 GMT

Understanding that the network objects in each domain are 100,000,

There is no defined limit for domain objects, correct?

Could there be 100,000 domain objects?

Knowing that it may affect performance.

Re: Amount of FQDN Domains

PhoneBoy — Mon, 31 Mar 2025 20:23:39 GMT

Considering:

The default table sizes for the various domain objects tops out at 25,000
The gateway tries to resolve the IPs for FQDNs every second

I suspect you will have serious issues with that many domains.
Which raises the question of what the actual use case is here.

Re: Amount of FQDN Domains

smorales31 — Wed, 02 Apr 2025 14:57:37 GMT

Hi,

So, can 100 FQDN objects and 1000 domains be created per object?

What I don't understand is if an FQDN object can only have one domain added, for example, .eltiempo.com. So where are more domains added?

I'm not quite understanding

Re: Amount of FQDN Domains

PhoneBoy — Wed, 02 Apr 2025 19:12:16 GMT

Not sure what @the_rock promoted the AI with, but that answer is flat out wrong as a domain object can only hold a SINGLE FQDN.
There are multiple type of objects that can be used depending on the exact use case and capabilities are.
I suggest you have a look at a session I recently did on web filtering that might help your understanding: https://community.checkpoint.com/t5/Security-Gateways/Web-Filtering-Best-Practices-March-2025-Video-and-Slides/m-p/244980#M47695

Most likely, you'll probably want to use a Network Feed object to define that many FQDNs (available in R81.20 and above).
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Network_Feed.htm

Re: Amount of FQDN Domains

the_rock — Wed, 02 Apr 2025 19:21:22 GMT

I actually looked that over myself as well and does not make much sense, agree. As @PhoneBoy advised, network feeds might be a good idea.

Andy