Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jen_Brown
Explorer
Jump to solution

Need a little help please

We’re running v 77.30 and my firewall guys are telling me that we can’t use a DNS service without a proxy. However we have some calls that can’t be proxied. They are currently hard coding the IP addresses for those partners – but as you know, IPs change and sure enough, it broke at 12am Sat morning and was down all weekend. There has to be a better way to resolve domains than hard coding IPs. Do you have any ideas or suggestions?

 

Thank you!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

This is much easier in R80.10 where you can use an FDQN Domain object in the access policy.

In earlier releases like R77.30, see my answer in this thread: Dynamic Objects (URL) 

View solution in original post

6 Replies
Daniel_Taney
Advisor

Is there any chance the IP address shifts within a specific range? There were times where we just created a network object or IP range for access to a vendor. 

Sometimes I've been able to get a list of IP ranges from the vendor and make a group based on their list. 

I guess none of this helps you if the host resolves to a CDN network or AWS, though. 

R80 CCSA / CCSE
0 Kudos
Jen_Brown
Explorer

Yeah it resolves to AWS. What we need is a fw rule to a non-static ip or dns entity; Or a fw rule to a cloud hosted server. Ideas?

0 Kudos
Daniel_Taney
Advisor

Jen,

Check out this sk article "Best Practices - Working with Domain Objects (Pre R80.10)" as far as I know, these are the definitive options for pre-R80.10 Gateways!

If you go the route of creating a domain object, try to put it as close to the bottom of the policy as possible!

R80 CCSA / CCSE
0 Kudos
PhoneBoy
Admin
Admin

This is much easier in R80.10 where you can use an FDQN Domain object in the access policy.

In earlier releases like R77.30, see my answer in this thread: Dynamic Objects (URL) 

Jen_Brown
Explorer

I knew there had to be a way to do this. Thank you so much! I'm going to pass this along to my guys. 

You just made my day - thanks again!

0 Kudos
PhoneBoy
Admin
Admin

It's certainly possible for organizations to set up DNS in such a way that an internal DNS server is only able to resolve internal (non-Internet) addresses.

If internal resources want to reach the Internet in this situation, they are forced to use a proxy to do so.

This is usually for HTTP/HTTPS, and the proxy server generally has access to DNS servers capable of resolving addresses.

It sounds like you have some application that can't use this sort of proxy and has been given direct access to the Internet.

However, you need to know what IP address the connection uses because you do not have access to Internet DNS.

None of the above has anything to do with Check Point, or any specific security gateway vendor for that matter.

It's a function of how the environment is set up.

Once you solve the DNS problem on the client side, there's the matter of allowing access to that IP (whatever it is).

That would be where Check Point is relevant to the discussion.

If the relevant parties want to have a discussion about that portion, they can do so here, through our TAC, Check Point account team, etc. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events