This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sayala
Explorer
‎2024-09-27 10:23 AM
Jump to solution

Cannot Resolve FQDN to hostname from the API

I am creating a process the takes hosts and automatically adds them to a group. 

When the hosts come in, I receive the FQDN, without the IP. 

When I want to look up the host by FQDN using the show-hosts endpoint, I can't get anything to resolve. I would really like to add all my FQDNs to the host. Right now, show-host only shows the IP, hostname(current hostname is the IP), and domain. 

I've read about using domain objects, but every time I try to show-domain, whether through UID or name, it tells me it doesn't exist. Its the SMC User domain and everything is under it. It definitely exists. When I show-domains, I receive an empty return. I also tried global-domain, but that was empty. The only thing that comes back the the show-dns-domains, which all say they are under the SMC User domain. 

Is there a way, or what would be the best way to correlate the FQDN and IP through the API? I know its done in the SmartConsole, I just don't understand why I wouldn't be able to do it in the API. 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-09-27 12:13 PM
Jump to solution

"hosts" in this case refer to host objects in SmartConsole.
These objects only have a single IPv4 and/or a single IPv6 address associated with it.
It is not possible to add FDQNs or multiple IPs to a host object.

add-domain is specific to a Multi-Domain environment and refers to the management (not FQDN) domains.
If you want to create an object for an FDQN in a rule, you need to create a domain object (add-dns-domain with is-sub-domain false): https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-dns-domain~v1.9.1%20
When FDQN objects exist in the active policy, the gateway will periodically resolve these FDQN objects to IP addresses.

Whether you use host objects, FQDN objects, or a combination of the two, you can add them to a group object as desired.

Another approach, which doesn't necessarily involve the API, is to use a Network Feed object.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-09-27 12:13 PM
Jump to solution

"hosts" in this case refer to host objects in SmartConsole.
These objects only have a single IPv4 and/or a single IPv6 address associated with it.
It is not possible to add FDQNs or multiple IPs to a host object.

add-domain is specific to a Multi-Domain environment and refers to the management (not FQDN) domains.
If you want to create an object for an FDQN in a rule, you need to create a domain object (add-dns-domain with is-sub-domain false): https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-dns-domain~v1.9.1%20
When FDQN objects exist in the active policy, the gateway will periodically resolve these FDQN objects to IP addresses.

Whether you use host objects, FQDN objects, or a combination of the two, you can add them to a group object as desired.

Another approach, which doesn't necessarily involve the API, is to use a Network Feed object.

0 Kudos
sayala
Explorer
‎2024-09-30 07:21 AM
In response to PhoneBoy
Jump to solution

Thank you, this is very helpful. 

Just to clarify, if everything is on the SMC User domain, would I create a new DNS Domain called SMC User, mark sub-domain as false, and the objects will sync over? Or would I need to create a new domain with a different name?
How would I know if the FDQN objects exist in the active policy? If I can resolve the IP on the console, does that mean it should be in there? 
Sorry for the additional questions - just always like to be sure about things before changing firewall rules. 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-30 08:10 AM
In response to sayala
Jump to solution

"SMC User" is not a valid name for a DNS Domain object.
It needs to be something of the format ".example.com" (with the leading period) like so:

image.png

Note the icon for the object type.
You can review the active Access Policy to see if you can find objects with this icon.
To see if any domains are in the active policy installed on the gateway, run the following on the gateway: domains_tool -report (see https://support.checkpoint.com/results/sk/sk161632

The ability for the gateway to resolve the specific FQDN to an IP address is a necessary condition for a Domain Object to work.
Your clients and gateway should use the same DNS servers to ensure the correct IPs are allowed.
If the gateway can resolve a specific FDQN, it doesn't mean it's used in the active policy. 

See also for DNS Passive Learning: https://support.checkpoint.com/results/sk/sk161612 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events