cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Domain Objects (FQDN) - An Unofficial ATRG

In 2018 I wrote an internal (Check Point) unofficial ATRG that covers Domain Objects in a lot more detail than sk120633 covers. I've discussed this document with our developers and confirmed all the details and was given permission to share this on CheckMates! 

 

The attached document contains basic info on types of domain objects, Information on how domains are looked up and how often, cache of results, and troubleshooting steps with some API to confirm your usage. 

 

This has since been updated to show the changes in 80.20 where the service, in my opinion, is super optimized and awesome!

 

Thanks for reading!

 

20 Replies
Vladimir
Pearl

Re: Domain Objects (FQDN) - An Unofficial ATRG

Thank you! This alone justifies jump to R80.20 if domain objects are used.

Can you describe which blades support domain objects and where those should be avoided (even if officially supported)?

Re: Domain Objects (FQDN) - An Unofficial ATRG

They are supported in the Source/Dest columns of the Access Policy. Honestly, they are a good use just avoid non-FQDN objects as best you can because reverse lookup is taxing. 

0 Kudos
Vladimir
Pearl

Re: Domain Objects (FQDN) - An Unofficial ATRG

Thank you.

I am working with the client who is interested in using FQDNs in the QOS and we were told by CP that they are supported there as well.

For now, we are seeing problems with that, (no logs and no enforcement of the bandwidth limits on rules containing FQDNs in destinations).

Have you, perchance, had a run in with this use case?

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

Been a long time since I’ve done QoS on CP. I’m short it was still actually called Floodgate-1 🙂

depending on usage age you could use them in a destination in a unified access policy and then use limits to limit the upload/download on those sites. 

0 Kudos
Vladimir
Pearl

Re: Domain Objects (FQDN) - An Unofficial ATRG

Had to look it up to refresh my memory Smiley Happy

Sorry, that is a non-starter: CP is adjusting bandwidth by dropping successive packets when using hard bandwidth limits in the unified policy (with questionable logging).

My goal is to actually assign priority weights to some of the critical to the client sites, the task that only QoS seem to be suitable for.

0 Kudos
Kim_Moberg
Silver

Re: Domain Objects (FQDN) - An Unofficial ATRG

Thanks for sharing, it is good stuff to read with technical insights.

I have also read the non-fqdn takes longer to get results and have been searching for ways to fast get an overview which of fqdn and non-fqdn. This document now gave me the necessay insights by using commands in expert mode and API.

More if this If possible 🙂

Thanks 


Best Regards
Kim
0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

Absolutely awesome - been waiting for this long time as we have used FQDN objects with R80.10 quite extensively and run into ton of problems prior T142 Smiley Happy 

There is still one case for me that's unsolved (no, I have not raised SR yet as I was trying to find more info how to check cached entries..) - sometimes when FQDN resolves to multiple (seems like more than 3) IPs, one of those will get enforced intermittently

For example

Object set as follows

You can see from logs that the last IP is enforced sporadically - then it works and then it doesn't

That's why I wanted to find actual mapping between FQDN and cached IPs for it. If you know how to find it as  dns_reverse_cache_tbl gives you only IPs but not matching FQDN

Re: Domain Objects (FQDN) - An Unofficial ATRG

That interesting. When is the first time it appears? It didn't oddly time out did it? I haven't found a better way. I have a really bad script that will covert the hex to IP and then do a reverse lookup in my lab. Problem with it is most of these sites don't use reverse entry so it ends up just failing on a lot things. I will keep digging on it. That cache table is shared accross services and isn't just domain based objects. (from what I can tell)

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

Adam, great job and thank you for sharing!!

I have a question for you, if I need to create a rule with a destination ww2.checkpoint.com and ww1.checkpoint.com, how to do  this? I  need to create 2 objects FQDN to avoid that you explain on document?

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

Yes you would create two separate FQDN objects Smiley Happy

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

Thanks Kaspars, but I have a new question: I have a rule where port of destination is not 80 or 443 and destination is <several>.domain.com.br... how to proceed? is it  possible, for example, to create a application/custom site to use if wildcard on domain or REGEX and including the port on URL?

for example:  (^|.*\.)*domain\.com\.br\:9090

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

I'm afraid no, you won't be able to use wildcard with FQDN objects. If you read the SK (sk120633 ) you cold use old style domain objects that do reverse lookups but I would strongly suggest to stay away from that idea - it will only screw up DNS cache.

If you are using URL filtering blade, i might work, but I'm no expert on that.

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

ok, thank you Kaspars.

@ Adam Forester, please, could you explain how to do this? 

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

I'm with Kaspars Zibarts‌ on this one. The only way to get a wildcard type approach is to use non-FQDN objects and they are much more intensive for the gateway. As for your port question. The port would be used in the service/applications column of your rule. The domain object should be limited to just the DNS name since that is all we look up.

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

Thank you Adam.

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

One-liner for R80.20 DNS cache to dotted decimal IP address:

fw ctl multik print_bl dns_reverse_cache_tbl | cut -f1 -d';' | cut -f2 -d'<' | sort | uniq | gawk --non-decimal-data '{for (i=1;i<=NF;i++) printf "%d%s","0x"$i,(i==NF?"\n":".")}' FPAT='..'

Source: networking - How to convert a hexadecimal value to a "standard" ip address? - Super User 

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

I'm kind of in the same boat. I would like a bit more information about how the entries are cached relative to the TTL.

[0 sec] For instance: abc.com resolves to 1.1.1.1 with a TTL of 30 seconds.

According to the doc: 1.1.1.1 will be cached for an hour in the access entry. And R80.20 will do a lookup of abc.com every 60 seconds.

[30 sec] What happens when the TTL expires after 30 seconds?

[31 sec]Let's say that the new resolution that the host (gw and host have the same caching resolver) has for abc.com will be 2.2.2.2.

Is the gateway still only allowing 1.1.1.1 in the access entry?

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

in 80.20 you can run domains_tool -d update.microsoft.com to show which IP is associated to a domain object

 

0 Kudos
Raj_Khatri
Copper

Re: Domain Objects (FQDN) - An Unofficial ATRG

Hi Adam, is CNAME support added in the main R80.20 build or a specific jumbo take?  I didn't see it documented anywhere so wanted to confirm.

0 Kudos

Re: Domain Objects (FQDN) - An Unofficial ATRG

Technically speaking you could use a CNAME and enter it into the FQDN name and it would look it up for an A record. What I was talking about directly in the document is if you use an FQDN that points to a CNAME then we will follow the lookup until it returns an A record.