- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: Domain object based rules are inconsistent
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Domain object based rules are inconsistent
Hello,
We have Checkpoint network security gateways deployed in AWS using GWLB deployment (R80.40).
I noticed that firewall rules which are using domain objects are not consistent. For example if I allow access to google.com, server resolves to 142.250.186.46.
Then I verify on each gateway:
GW1:
domains_tool -ip 142.250.186.46
---------------------------------------------------------------------------------------------------
| Given IP address: 142.250.186.46 |
---------------------------------------------------------------------------------------------------
| Domain name | FQDN |
---------------------------------------------------------------------------------------------------
| google.com | yes |
---------------------------------------------------------------------------------------------------
Total of 1 domains found
GW2:
domains_tool -ip 142.250.186.46
No information about the IP address
GW3:
domains_tool -ip 142.250.186.46
No information about the IP address
All of the gateways are in the same region and point to the same DNS server.
How can I make sure each GW maintain accurate collection of IPs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd check a couple of SKs here:
- Passive DNS Learning (may be useful): https://support.checkpoint.com/results/sk/sk161612
- Troubleshooting with domains_tool: https://support.checkpoint.com/results/sk/sk161632
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Passive DNS might be difficult to achieve, since each resource point to AWS dns and this traffic won't pass through gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One time I had this issue with the customer, we disabled/re-enabled the rule, installed policy and failed. Then, after some time, TAC told us to do the same, but disable accelerated policy push and that worked.
I dont know, maybe we got lucky, but never happened after that.