topic Understanding Domain Object in General Topics

Understanding Domain Object

handiansudianto — Thu, 30 Jan 2025 02:51:08 GMT

Our windows defender is not connecting to the Microsoft portal, then when i run the script from Microsoft i can see the traffic to winatp-gw-cus.microsoft.com is blocked.

From the microsoft documentation there are several winatp subdomain such as :

winatp-gw-aue.microsoft.com
winatp-gw-aus.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
winatp-gw-neu3.microsoft.com
winatp-gw-weu3.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-cus3.microsoft.com
winatp-gw-eus3.microsoft.com

Then i try to make domain object .microsoft.com and the traffic still blocked.

So anyone here can help me to understanding about domain object in the checkpoint? What in my mind is when we create .microsoft.com this same with *.microsoft.com and all hosts and sub domains under microsoft.com will be permitted.

Re: Understanding Domain Object

PhoneBoy — Thu, 30 Jan 2025 03:39:48 GMT

Non-FDQN Domain Objects use Reverse DNS to determine if a particular IP is covered by it or not.
In most cases, this will fail.

Another way to get the information is via Passive DNS: https://support.checkpoint.com/results/sk/sk161612
This requires your gateway to be between your clients and their DNS query as well as other possible changes.

You are better off defining FDQN Domain Objects here.

Re: Understanding Domain Object

handiansudianto — Thu, 30 Jan 2025 03:59:33 GMT

hi @PhoneBoy

So for my requirement we can't achieve by only create domain object?

Re: Understanding Domain Object

PhoneBoy — Thu, 30 Jan 2025 14:55:43 GMT

The only way to make a non-FQDN Domain object "work properly" is to leverage Passive DNS, which may require networking changes.

If you can't make those changes, you will need to use FDQN Domain Objects (which are resolved via forward lookup).
However, if the DNS servers used by the clients and gateways are different and they resolve the FDQNs differently (e.g. because of Geolocation or similar), you will also have issues.