This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adam_Forester
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-01-21 05:44 PM

Domain Objects (FQDN) - An Unofficial ATRG

In 2018 I wrote an internal (Check Point) unofficial ATRG that covers Domain Objects in a lot more detail than sk120633 covers. I've discussed this document with our developers and confirmed all the details and was given permission to share this on CheckMates! 

 

The attached document contains basic info on types of domain objects, Information on how domains are looked up and how often, cache of results, and troubleshooting steps with some API to confirm your usage. 

 

This has since been updated to show the changes in 80.20 where the service, in my opinion, is super optimized and awesome!

 

Thanks for reading!

 

For the full list of White Papers, go here

Preview file
246 KB
34 Replies
_Val_
Admin
Admin
‎2020-01-22 03:05 AM
In response to Kaspars_Zibarts

that makes a lot of sense 🙂

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-01-22 04:02 AM
In response to _Val_

Yes and no @_Val_ 🙂

Yes, it's very obvious now. But wasn't that easy yesterday when we sat with R&D guys on remote session for two hours looking at debug logs and packet dumps and all you had to go on was this. And it the end the penny dropped when I was putting my kids to bed at 9PM 🙂

[wsdnsd 32546]@vsxseso1-ext[20 Jan 14:32:07] Warning:cp_timed_blocker_handler: A handler [0xf6f213d0] blocked for 44 seconds.
[wsdnsd 32546]@vsxseso1-ext[20 Jan 14:32:07] Warning:cp_timed_blocker_handler: Handler info: Library [/opt/CPshrd-R80.30/lib/libResolver.so], Function offset [0x2b3d0].
[wsdnsd 32546]@vsxseso1-ext[20 Jan 14:32:07] Warning:cp_timed_blocker_handler: Handler info: Nearest symbol name [_Z10Sock_InputiPv], offset [0x2b3d0].

 

No, because I'd expect that implied rules (GW > TCP/UDP/53) could have taken care of that if the code noticed usage of FQDN and/or Updatable Objects in rulebase 🙂 Or at least better logs!

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-01-23 01:31 AM
In response to Kaspars_Zibarts

Ok @_Val_  - you win! DOH moment!

We are talking about ancient CMA that was probably created and configured still in R65. So in Global properties the gateway traffic was set to be accepted on last rule... arghhhhh

image.png

I have checked more recent CMAs and those all are set to "Before last" by default.

I guess you still have to be careful in case you have multiple drop rules (i.e. we drop internal and external traffic differently) so then the best option would be setting it as "First" in our case or explicit rule.

Case closed! @Ilya_Yusupov gets the medal!

_Val_
Admin
Admin
‎2020-01-23 04:02 AM
In response to Kaspars_Zibarts

@Kaspars_Zibarts I am happy it is all good now

0 Kudos
Network_Dude
Explorer
‎2020-06-03 11:39 AM
In response to Kaspars_Zibarts

Thanks for the more detailed info on DNS based rules here. I just found this despite searches over the last 6 moths never resulting in such detailed info. 

I am still wondering like someone else was, about using FQDNs and either global traffic manager hosted sites with many IP addresses behind a A record along with short 30sec TTLs. as well as FQDNs hosted on a CDN like Akamai. There seems to be a strong possibility that the cache table in the gateway may not always match up with what the client device resolves the FQDN to. I see possibilities to deny some traffic you intended on permitting. 

Can you expand on these cases?

I do guess URL filtering looking for Host headers or SNI info would be a more reliable solution. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events