This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruud
Explorer
‎2025-06-27 06:20 AM

Allow rule for site hosted on akamai CDN, only the first dns response seems to work

 

Hi Guys,

Our server techs requested that i allow their iDrac devices https access to the url downloads.dell.com to download their updates.
downloads.dell.com however is hosted on the akamai cdn network, so there are a lot of servers behind that url.

It works using the url as a firewall object, but only for 1 akamai server, the rest is blocked. It seems like only the ip address of the server that was received on the initial DNS request works, as this remains in the cache. The iDracs however are trying to connect multiple akamai servers, which will be blocked. (no clue how the iDracs do get a list of hosts on that url)

I could create a firewall object containing a list of known akamai servers to resolve this, but that list will change all the time, and it's not a given that all of these servers will host the dell download files.

I have seen this before when creating rules for servers on azure etc.

Is there a neat way to resolve this ? Perhaps a firewall object that dynamically checks the server ranges from akamai etc ?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2025-06-27 10:08 AM

When you say "URL as a firewall object" please clarify which object type was used here.
Also clarify version/JHF in use.

0 Kudos
Ruud
Explorer
‎2025-06-29 09:50 PM
In response to PhoneBoy

I created a new "domain" entry in the object explorer : .downloads.dell.com

 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-29 11:52 PM
In response to Ruud

Do the gateways and requesting client use the same DNS server settings and resolve it the same way? 

Additionally which version/JHF is the gateway in question?

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-30 09:27 AM
In response to Ruud

Unless your gateway and clients are using the exact same DNS server (and getting the same results), this object type won't work well.
There are other options that might work better, and I cover them in the Web Filtering Best Practices session I periodically run.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-30 12:27 PM
In response to Ruud

Make sure its checked as fully qualified domain name.

Andy

0 Kudos
Ruud
Explorer
‎2025-06-30 11:44 PM

We run r81.20 at our gateways. But the DNS server thing might be the issue.

Our server guys are renewing their server infrastructure and started using new DNS servers, but the network equipment hasn't been changed yet.  So, this is a good reason to pick up that task for sure.

Going to look at Phoneboys session for sure as well.

Thanks for your responses guys !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events