This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aaron_Wrasman
Participant
‎2019-12-09 08:40 AM

Confusion on what is supported in R80.20+ for FQDN.

So we recently moved a few of our firewalls to R80.20+ (i.e. we are still upgrading to R80.30 from R80.20)

We are trying to start using the FQDN feature of domain objects for normal firewall traffic.

I'm trying to allow access to sftp and not a website.

If my destination is something like www.vanityname.net  and I can create a Domain object  like:

.vanityname.net and make sure the FQDN feature is checked.

Put that as the destination in a normal firewall rule and it works.

If I have a site like sftp.vanityname.net and I create:

.sftp.vanityname.net 

and make sure the FQDN feature is checked.

Put that as the destination in a normal firewall rule and it works sometimes.

Are only second level domains supported with the FQDN feature? (i.e. name.com  but not sub.name.com )

And to be very clear I'm not talking wildcard domain names.

 

0 Kudos
10 Replies
_Val_
Admin
Admin
‎2019-12-09 01:30 PM

@Aaron_Wrasman , .sftp.vanityname.net should work. If it does not, please try troubleshooting and/or opening a support call

Aaron_Wrasman
Participant
‎2019-12-09 03:54 PM
In response to _Val_

What would you suggest for troubleshooting?

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-12-10 03:10 AM
In response to Aaron_Wrasman

Open a SR# with TAC...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Aaron_Wrasman
Participant
‎2019-12-10 09:08 AM
In response to G_W_Albrecht

Did that. It isn't supported.
0 Kudos
Matthias_Haas
Advisor
‎2019-12-10 10:12 AM
In response to Aaron_Wrasman

you could test with

domains_tool -d sftp.vanityname.net 

on the cli of the GW to see which IPs that objects has (if any)

test it without the preceding period  and you may have to run this command a couple of times to get a result

 

0 Kudos
CPRQ
Collaborator
‎2019-12-10 12:36 PM
In response to Matthias_Haas

domain_tool did not give any IP, but dig command give the IP
[Expert@fwgb:2]# domains_tool -d 53.com
Domain is not attached to any IP address
[Expert@fwg-b:2]# dig @10.110.10.1 53.com
;; ANSWER SECTION:
53.com. 20 IN A 104.100.23.146

0 Kudos
CPRQ
Collaborator
‎2019-12-10 12:43 PM
In response to CPRQ

If I did correctly, did not get IP with domain_tool command, but got the IP with dig command.
0 Kudos
Aaron_Wrasman
Participant
‎2019-12-10 12:50 PM
In response to CPRQ

domains_tools is looking at the FQDN objects you have deployed in your policies on that particular gateway.

Do you have a domain object setup as .53.com and have the FQDN option turned on?

And then have that object in an enabled rule in your policies on that gateway?

CPRQ
Collaborator
‎2019-12-10 12:59 PM
In response to Aaron_Wrasman

Thank you, yes it worked when I pick object used in policy.
0 Kudos
_Val_
Admin
Admin
‎2019-12-10 03:10 AM
In response to Aaron_Wrasman

@Aaron_Wrasman name resolution for this specific object on your FW for starters

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events