cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Ankur_Datta
Nickel

Domain Object issue on R77.30

Hi Moderators,

We have a MDS that host multiple CMA in it and gateways of R77.30 and R80.10 code. We got a request to create a FQDN object to fulfill one requirement. 

I created a Non FQDN object(eg: url of CA authority) and source as our whole network in global policy and assign it to all CMA that has mostly R80.10 gateway and one R77.30 gateway in cluster. Once policy was pushed. we got a call from data center that has R77.30 GW that websites that are hosted on servers are inaccessible.

We were able to telnet the websites on port 80 and 443 but when tries to open webpage nothing opens.

The global rules were placed in top and fqdn rule was on 12 number. Rest manually created rules were below global rules. 

Once we disabled that rule everything started working. I need to understand why this happened.

As per my understanding R77.30 supports non-FQDN domain object.

Please guide.

Thanks.

0 Kudos
1 Reply

Re: Domain Object issue on R77.30

I wrote a little here, check last updates, but in nutshell reverse lookups by non-FQDN objects seem to screw up DNS cache. Plus on R77.30 it will stop acceleration.

https://community.checkpoint.com/message/31684-re-o365-access-filtering-in-r8010?commentID=31684#com...

Hope you have read actual SK

Domain Objects in R80.10 and above 

Best Practices - Working with Domain Objects (Pre R80.10) 

Rules of thumb:

  • Avoid using Domain Objects, if you can.
  • Place them as low in the rulebase, as you can, to maximize the chance that a given packet will hit a rule that uses a network object, before falling to the Domain Object.
  • Construct rules above the Domain Object, in such a way, as to catch as much traffic, as you can, before falling through to the Domain Object.