topic Need a little help please in General Topics

Need a little help please

Jen_Brown — Wed, 02 May 2018 14:55:50 GMT

We’re running v 77.30 and my firewall guys are telling me that we can’t use a DNS service without a proxy. However we have some calls that can’t be proxied. They are currently hard coding the IP addresses for those partners – but as you know, IPs change and sure enough, it broke at 12am Sat morning and was down all weekend. There has to be a better way to resolve domains than hard coding IPs. Do you have any ideas or suggestions?

Thank you!

Re: Need a little help please

Daniel_Taney — Wed, 02 May 2018 20:22:41 GMT

Is there any chance the IP address shifts within a specific range? There were times where we just created a network object or IP range for access to a vendor.

Sometimes I've been able to get a list of IP ranges from the vendor and make a group based on their list.

I guess none of this helps you if the host resolves to a CDN network or AWS, though.

Re: Need a little help please

PhoneBoy — Wed, 02 May 2018 20:39:20 GMT

It's certainly possible for organizations to set up DNS in such a way that an internal DNS server is only able to resolve internal (non-Internet) addresses.

If internal resources want to reach the Internet in this situation, they are forced to use a proxy to do so.

This is usually for HTTP/HTTPS, and the proxy server generally has access to DNS servers capable of resolving addresses.

It sounds like you have some application that can't use this sort of proxy and has been given direct access to the Internet.

However, you need to know what IP address the connection uses because you do not have access to Internet DNS.

None of the above has anything to do with Check Point, or any specific security gateway vendor for that matter.

It's a function of how the environment is set up.

Once you solve the DNS problem on the client side, there's the matter of allowing access to that IP (whatever it is).

That would be where Check Point is relevant to the discussion.

If the relevant parties want to have a discussion about that portion, they can do so here, through our TAC, Check Point account team, etc.

Re: Need a little help please

Jen_Brown — Wed, 02 May 2018 20:42:03 GMT

Yeah it resolves to AWS. What we need is a fw rule to a non-static ip or dns entity; Or a fw rule to a cloud hosted server. Ideas?

Re: Need a little help please

Daniel_Taney — Wed, 02 May 2018 20:50:39 GMT

Jen,

Check out this sk article "Best Practices - Working with Domain Objects (Pre R80.10)" as far as I know, these are the definitive options for pre-R80.10 Gateways!

If you go the route of creating a domain object, try to put it as close to the bottom of the policy as possible!

Re: Need a little help please

PhoneBoy — Wed, 02 May 2018 20:51:22 GMT

This is much easier in R80.10 where you can use an FDQN Domain object in the access policy.

In earlier releases like R77.30, see my answer in this thread: Dynamic Objects (URL)

Re: Need a little help please

Jen_Brown — Wed, 02 May 2018 22:05:42 GMT

I knew there had to be a way to do this. Thank you so much! I'm going to pass this along to my guys.

You just made my day - thanks again!