topic Re: Cannot Resolve FQDN to hostname from the API in API / CLI Discussion

Cannot Resolve FQDN to hostname from the API

sayala — Fri, 27 Sep 2024 17:23:04 GMT

I am creating a process the takes hosts and automatically adds them to a group.

When the hosts come in, I receive the FQDN, without the IP.

When I want to look up the host by FQDN using the show-hosts endpoint, I can't get anything to resolve. I would really like to add all my FQDNs to the host. Right now, show-host only shows the IP, hostname(current hostname is the IP), and domain.

I've read about using domain objects, but every time I try to show-domain, whether through UID or name, it tells me it doesn't exist. Its the SMC User domain and everything is under it. It definitely exists. When I show-domains, I receive an empty return. I also tried global-domain, but that was empty. The only thing that comes back the the show-dns-domains, which all say they are under the SMC User domain.

Is there a way, or what would be the best way to correlate the FQDN and IP through the API? I know its done in the SmartConsole, I just don't understand why I wouldn't be able to do it in the API.

Re: Cannot Resolve FQDN to hostname from the API

PhoneBoy — Fri, 27 Sep 2024 19:13:16 GMT

"hosts" in this case refer to host objects in SmartConsole.
These objects only have a single IPv4 and/or a single IPv6 address associated with it.
It is not possible to add FDQNs or multiple IPs to a host object.

add-domain is specific to a Multi-Domain environment and refers to the management (not FQDN) domains.
If you want to create an object for an FDQN in a rule, you need to create a domain object (add-dns-domain with is-sub-domain false): https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-dns-domain~v1.9.1%20
When FDQN objects exist in the active policy, the gateway will periodically resolve these FDQN objects to IP addresses.

Whether you use host objects, FQDN objects, or a combination of the two, you can add them to a group object as desired.

Another approach, which doesn't necessarily involve the API, is to use a Network Feed object.

Re: Cannot Resolve FQDN to hostname from the API

sayala — Mon, 30 Sep 2024 14:21:45 GMT

Thank you, this is very helpful.

Just to clarify, if everything is on the SMC User domain, would I create a new DNS Domain called SMC User, mark sub-domain as false, and the objects will sync over? Or would I need to create a new domain with a different name?
How would I know if the FDQN objects exist in the active policy? If I can resolve the IP on the console, does that mean it should be in there?
Sorry for the additional questions - just always like to be sure about things before changing firewall rules.

Re: Cannot Resolve FQDN to hostname from the API

PhoneBoy — Mon, 30 Sep 2024 15:10:52 GMT

"SMC User" is not a valid name for a DNS Domain object.
It needs to be something of the format ".example.com" (with the leading period) like so:

Note the icon for the object type.
You can review the active Access Policy to see if you can find objects with this icon.
To see if any domains are in the active policy installed on the gateway, run the following on the gateway: domains_tool -report (see https://support.checkpoint.com/results/sk/sk161632)

The ability for the gateway to resolve the specific FQDN to an IP address is a necessary condition for a Domain Object to work.
Your clients and gateway should use the same DNS servers to ensure the correct IPs are allowed.
If the gateway can resolve a specific FDQN, it doesn't mean it's used in the active policy.

See also for DNS Passive Learning: https://support.checkpoint.com/results/sk/sk161612