topic Re: FQDN: Domain vs Application in Firewall and Security Management

FQDN: Domain vs Application

britt1kj — Mon, 22 Jun 2020 21:33:39 GMT

Little Background: I am Sys admin with a little Networking background. with a very junior network guy that I am helping with probably less experience than me on this topic

Inherited a client with smart console r80.20...

I have reviewed many of the suggestion on Domain Vs Application... I am missing something and in despreate need to get this functionality working as I need suse updates, azure backups, and SQL backups for my VM's.

I simply need to add *.opensuse.org, so I can get to a.opensuse.org, b.opensuse.org, c,opensuse.org

I've added a domain rule for .opensuse.org with FQDN unchecked - I tried both.

I am still not able to telnet to any of the services or anything.

What am I suppose to do to get all the subdomains added?

Thank you very much in advance

Re: FQDN: Domain vs Application

PhoneBoy — Mon, 22 Jun 2020 21:55:09 GMT

There are two types of objects that are relevant here: FDQN Domain Objects and Custom Application/Site.
For a detailed discussion about this: https://community.checkpoint.com/t5/General-Topics/Domain-objects-FQDN-mode-vs-Custom-Applications-Sites/m-p/84543

While we support domain objects that allow *.somedomain.com, it relies on Reverse DNS (rarely works) and disables SecureXL templates (decreased performance).
In R80.40, assuming the DNS queries always go through the gateway, mappings can be learned passively by observing the DNS queries to the trusted DNS server.
That resolves the "Reverse DNS" problem with Domain Objects but not the performance issue, as far as I know.
See: https://community.checkpoint.com/t5/General-Topics/DNS-Passive-Learning-Design-Question/m-p/77213#M15705

All of this boils down to the following:
1. If the traffic is HTTP/HTTPS, you can use Custom Application/Sites.
2. If the traffic is anything else, Domain Objects should be used. Unless you are using R80.40 and DNS queries go through the gateway to a trusted DNS server, you will have to create an object for each FQDN to allow.

Re: FQDN: Domain vs Application

britt1kj — Tue, 23 Jun 2020 15:59:46 GMT

Okay, sounds good... Is there a guide to whitelisting through Custom Application/Sites

I can see where to create but can't figure out where it applies to.

Re: FQDN: Domain vs Application

PhoneBoy — Tue, 23 Jun 2020 16:56:22 GMT

It comes down to having an explicit rule in your Access Policy that allows the desired traffic.
In the case of a Custom Application/Site, it means having a rule that uses the object you created as the Service/Application (note that it only applies to Web traffic).
In the case of a Domain Object, it means having a rule that uses the Domain Object as the destination and the relevant services listed in the rule.

Re: FQDN: Domain vs Application

Maarten_Sjouw — Tue, 23 Jun 2020 20:48:05 GMT

The method we use is quite simple:
You create a Custom Category called Whitelist and one called Blacklist
You add a rule to the Application control policy that will allow traffic to the Whitelist category. and above it you add a rule that blocks the Blacklist category.,
Now when you need to add a custom Application/Site to the whitelist or blacklist, while creating it you just set the Category to the desired Whitelist or Bracklist.
Now when you push policy the newly added site is already added to the list and will be allowed/blocked accordingly.

Re: FQDN: Domain vs Application

britt1kj — Wed, 24 Jun 2020 14:36:28 GMT

Thanks for the Reply!

I have a simple Domain base rule section with an action Accept... I've published many times but no matter what I've I cannot telnet to any other sites. Its getting blocked on our catch rules...

Very new with this appliance, I appreciate your patience and understanding.

Re: FQDN: Domain vs Application

Maarten_Sjouw — Wed, 24 Jun 2020 14:49:26 GMT

Publish does not install the policy on your gateway!!
You need to click the Install Policy button, top left or when looking at the policy in the top in the middle.