Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
abihsot__
Advisor

Domain object based rules are inconsistent

Hello,

We have Checkpoint network security gateways deployed in AWS using GWLB deployment (R80.40).

 

I noticed that firewall rules which are using domain objects are not consistent. For example if I allow access to google.com, server resolves to 142.250.186.46. 

Then I verify on each gateway:

GW1:

domains_tool -ip 142.250.186.46
---------------------------------------------------------------------------------------------------
| Given IP address: 142.250.186.46 |
---------------------------------------------------------------------------------------------------
| Domain name | FQDN |
---------------------------------------------------------------------------------------------------
| google.com | yes |
---------------------------------------------------------------------------------------------------
Total of 1 domains found

 

GW2:

domains_tool -ip 142.250.186.46
No information about the IP address

 

GW3:

domains_tool -ip 142.250.186.46
No information about the IP address

 

All of the gateways are in the same region and point to the same DNS server.

How can I make sure each GW maintain accurate collection of IPs?

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

I'd check a couple of SKs here:

0 Kudos
abihsot__
Advisor

Thanks. Passive DNS might be difficult to achieve, since each resource point to AWS dns and this traffic won't pass through gateways.

0 Kudos
the_rock
Legend
Legend

One time I had this issue with the customer, we disabled/re-enabled the rule, installed policy and failed. Then, after some time, TAC told us to do the same, but disable accelerated policy push and that worked.

I dont know, maybe we got lucky, but never happened after that.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.