topic Re: FQDN routing in Spark Firewall (SMB)

FQDN routing

Softwhere — Wed, 26 Jul 2023 08:40:48 GMT

Hello,

Would like to know if it is possible with a 1500 device to route FQDN. Would like to have 1 Public IP Address but route (NAT) different FQDN to internal IP Addresses.

If not possible using R81.10 which devices (FW), can be used?

Thanks,

Jeff

Re: FQDN routing

G_W_Albrecht — Wed, 26 Jul 2023 09:28:12 GMT

R81.10.05 for Quantum Spark Appliances:

In Updatable objects and FQDN in Locally Managed mode (NAT / SSL / Threat Prevention) - Use fully qualified domain name (FQDN) object in the NAT policy, Threat Prevention, and SSL exceptions.

Re: FQDN routing

Softwhere — Wed, 26 Jul 2023 09:57:02 GMT

Thanks for the quick reply,

we are using FW R81.10.07, is there some directions how to put the FQDN in NAT?

Greets,

Re: FQDN routing

PhoneBoy — Wed, 26 Jul 2023 13:38:40 GMT

Create the relevant object, create a rule involving it?
phoneboy.com here is an object of type Domain.

Re: FQDN routing

G_W_Albrecht — Wed, 26 Jul 2023 13:44:20 GMT

https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Defining-NAT-Control.htm?Highlight=FQDN

Re: FQDN routing

Softwhere — Wed, 26 Jul 2023 14:22:47 GMT

That would exactly be my question, how to put a FQDN in "original Destination" in your screen shot it is phoneboy.com how is that created?

Re: FQDN routing

PhoneBoy — Wed, 26 Jul 2023 16:48:48 GMT

You create an object of type Domain.
It can be done while creating the manual NAT rule like so:

Re: FQDN routing

Softwhere — Wed, 26 Jul 2023 17:08:07 GMT

I tried that but how to make a reference to the internal IP Address? The Internal DNS Server does refers to the Privat IP Address however coming from outside it is not being sent to the Internal IP. In Network objects is the FQDN ftp....com as domain name, and have NAT Rule any; ftp...com; any; Original; Original;Original

Also tried Translated Destination to Internal IP but does not cooperate either.

Re: FQDN routing

PhoneBoy — Wed, 26 Jul 2023 18:39:44 GMT

To get the internal FQDN, you will need to configure the gateway to use Internal DNS servers, not the external one.
If this isn't working with an internal IP (i.e using a host object), then we need to see more about the configuration including a simple network topology and the precise configuration made (with sensitive details redacted).
Note if you are using the firewall's external IP for inbound communication, do not create a NAT rule, use a Server object instead.

Re: FQDN routing

Softwhere — Thu, 07 Sep 2023 15:04:33 GMT

Hello to all hope everyone is healthy, sorry for not replying sooner seems more work than play right now. Assume the same for you all.

First of all we always configure the firewall to use internal DNS Servers, particularly for Remote users. The FW, when pinging the FQDN returns the correct internal IP Address.

Regarding NAT we have added manually rule:

Source = any; Destination = FQDN; Service=any; Translated source = Orginal; Translated destination = FQDN; translated service= orginal

We are running R81.10.07 (996001430) FW

Hope to find a solution, probably something simple that I am missing.

Thanks

Re: FQDN routing

PhoneBoy — Thu, 07 Sep 2023 17:52:58 GMT

You have the same destination for the original and translated packet.
You will need to use the external IP (or an FQDN that resolves to the external IP) as the destination IP.

Re: FQDN routing

Softwhere — Fri, 08 Sep 2023 10:26:24 GMT

I think i missunderstand something, the objective is to use 1 public IP Address, however when externally the url is put in, for example, ftp.y-it.net that should go to the internal server ftp.y-it.net when, from extern the url www.y-it.net then that should be routed or Nated to a different internal server. If we put in the orginal destination the Public IP everything will go to the one server, whether using domain name (using the Internal DNS Servr), or IP Address is irrelevant.

presently, for example putting in the url www.y-it.net it goes to the correct Public IP Address, however the Firewall does not send it to the proper internal IP Address.

Re: FQDN routing

PhoneBoy — Sat, 09 Sep 2023 02:16:35 GMT

Is this IP the external IP of the gateway?
In this case, you will need to create one or more server objects instead of NAT rules.
If this is not the external IP of the gateway, then you will need to create more specific NAT rules (based on connection port).
Note that if two or more such servers require the same port (e.g. you've got www.y-it.net and www2.y-it.net using HTTPS), this isn't supported and will not work.

Re: FQDN routing

Softwhere — Sat, 09 Sep 2023 07:29:05 GMT

Yes thank you very much for the info this is exactly what I wanted to know. However I do not understand why this should not be possible to route or NAT using FQDN instead of IP Addresses. This would be a very simple change and an improvement. Using the Domainname setting in Objects is really so not of an use.

BTW in this particular case we are using 2 Internet connections, one is SDSL with 5 Public IP Addresses for hosts which can easily be NATed using the Servers setting, and an addtional VDSL connection with 1 Public IP Address.

Would still strongly recommend the change for Checkpoint to be able use DNS for routing and NAT.

Re: FQDN routing

Softwhere — Sat, 09 Sep 2023 07:52:16 GMT

I should explain, I know the Internet works using IP, however in the header is also the FQDN request.

Re: FQDN routing

PhoneBoy — Mon, 11 Sep 2023 15:36:49 GMT

This may be possible if the device is managed by a Smart-1 device (i.e. not through the local WebUI).
More precisely, this requires inbound HTTPS Inspection since almost all web traffic is TLS encrypted these days with a certificate that matches all the possible websites (can be a wildcard).
Without this, it is impossible to see the relevant headers to act on them.
This definitely won't work with unencrypted HTTP traffic as that requires functionality that doesn't exist in the products (SMB or otherwise).

Unfortunately, Inbound HTTPS Inspection is not available for locally managed SMB devices: https://support.checkpoint.com/results/sk/sk178604

Re: FQDN routing

Softwhere — Tue, 12 Sep 2023 06:55:27 GMT

Thanks for the info, actually this was my very first question: "If not possible using R81.10 which devices (FW), can be used? "

If it is possible using managed Software what are the requirements, and https inspection?

Re: FQDN routing

PhoneBoy — Tue, 12 Sep 2023 15:44:04 GMT

It should be possible with your existing appliance if it is managed with a Smart-1 (Cloud).
This will also require configuring Inbound HTTPS Inspection, which will require a wildcard certificate.