Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
phlrnnr
Advisor

R80.10 FQDN objects and CNAME/aliases

We have been using the new FQDN objects in R80.10 Mgmt/GW, and have been having some issues with them.  As we troubleshoot the rules that don't work, it seems that when the FQDN object resolves a CNAME/alias record, that the rule never gets hit.  It seems that when an A record is returned, it works fine.

An example: .crl.godaddy.com returns an alias for:

   crl.godaddy.com canonical name = gdcrl.godaddy.com.akadns.net.
   Name: gdcrl.godaddy.com.akadns.net
   Address: 50.63.243.228

However, the rule was never hit until I added a host object for 50.63.243.228. Unfortunately, that IP is very likely to change.

Is this expected behavior for dns-domain objects that resolve to a CNAME?  IF a CNAME, shouldn't the FW resolve the CNAME/alias to get the IP result to use in the FQDN object/ruleset?

In addition, are there any good command line tools I can use on the R80.10 GW to see what it is using for FQDN objects?  We have been finding these quite difficult to troubleshoot (although we LOVE the idea of these objects if they worked consistently!)

Thanks for any assistance you can provide!

6 Replies
Juan_Lobera
Contributor

Have you tried using non-fqdn objects?
The gateway will try to do reverse lookups for all subdomains.

Or you can use "godaddy.com.akadns.net" as domain and it will match the rule.

0 Kudos
phlrnnr
Advisor

I'd rather not use non-fqdn objects as they are inherently un-reliable, and are known to cause performance impact.

The problem with using "godaddy.com.akadns.net" is that if crl.godaddy.com is pointed at different A record, then the rule will break.

Atul_Mahadik
Explorer

hello All,

Just want to check for non-fqdn objects, DO I need to enable the application blade in the CheckpoingR80.10?

0 Kudos
Jerry
Mentor
Mentor

no you don't have to

ps. FQDN and (A) record is a tricky part ... has happened to me couple of times especially with Office365 dynamic-object entries ...

Jerry
Raj_Khatri
Advisor

There is a whitepaper which has more detail on FQDN objects.  CNAME support looks to be supported in R80.20, but I don't see it documented anywhere else.  We are also looking forward to this support.

Whitepaper

0 Kudos
Meital_Natanson
Employee
Employee

Hi,

Please check the following:

1. Validate that DNS server is well defined on the GW

2. Run  'nslookup checkpoint.com' on the GW and make sure you get response

3. Run 'nslookup crl.godaddy.com' on the GW and make sure it returns you the IP you expect to (50.63.243.228)

4. Check that domains cache table is not empty: fw tab -t dns_reverse_cache_tbl

5. If all the above is true, check if you have another domain object that is resolved to the same IP address as the above? (sk145952)

 

Regarding command line tool - starting R80.20 GWs, domains_tool CLI is available for this purpose (sk161632).

 

Thanks,

Meital

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events