topic Application control question - help in General Topics

Application control question - help

carl_t — Fri, 16 Oct 2020 09:39:03 GMT

Hi All

I have a question around application control if it will help me solve an issue.

We use Salesforce in the cloud which is access by some servers, we find we have to keep changing the normal firewall rulebase because it uses Akamai content delivery network with ever changing ip addresses.

My question is, could we use application control to solve this issue?

what would the normal firewall security policy look like for this?

would I allow port 80/443 to anywhere, then create an application policy that denies these servers to all apps except sales force, then create a any any app rule after that?

would this work?

cheers

Re: Application control question - help

G_W_Albrecht — Fri, 16 Oct 2020 09:53:57 GMT

You could use a Domain Object to achieve tis.

Re: Application control question - help

carl_t — Fri, 16 Oct 2020 10:25:10 GMT

Hi, I believe these aren't recommended, we have used before and it caused issues with the dns lookups, also the dns lookups need to come from an authoritative dns servver

Re: Application control question - help

Timothy_Hall — Fri, 16 Oct 2020 11:23:13 GMT

Prior to version R80.10, Domain Objects were most definitely not recommended and could easily cause the issues you mentioned. However in R80.10 and later the implementation of Domain Objects was significantly revamped, and they are much less likely to cause issues now. See the SK mentioned earlier in this thread for more info about the changes.

Re: Application control question - help

_Val_ — Mon, 19 Oct 2020 10:05:03 GMT

@carl_t , both @Timothy_Hall & @G_W_Albrecht are right, you need to use FQDN domain object. This option is available in R80.x versions.

More info here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120633