Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Adam_Forester
Ambassador
Ambassador

Domain Objects (FQDN) - An Unofficial ATRG

In 2018 I wrote an internal (Check Point) unofficial ATRG that covers Domain Objects in a lot more detail than sk120633 covers. I've discussed this document with our developers and confirmed all the details and was given permission to share this on CheckMates! 

 

The attached document contains basic info on types of domain objects, Information on how domains are looked up and how often, cache of results, and troubleshooting steps with some API to confirm your usage. 

 

This has since been updated to show the changes in 80.20 where the service, in my opinion, is super optimized and awesome!

 

Thanks for reading!

 

For the full list of White Papers, go here

34 Replies
_Val_
Admin
Admin

that makes a lot of sense 🙂

0 Kudos
Kaspars_Zibarts
Authority
Authority

Yes and no @_Val_ 🙂

Yes, it's very obvious now. But wasn't that easy yesterday when we sat with R&D guys on remote session for two hours looking at debug logs and packet dumps and all you had to go on was this. And it the end the penny dropped when I was putting my kids to bed at 9PM 🙂

[wsdnsd 32546]@vsxseso1-ext[20 Jan 14:32:07] Warning:cp_timed_blocker_handler: A handler [0xf6f213d0] blocked for 44 seconds.
[wsdnsd 32546]@vsxseso1-ext[20 Jan 14:32:07] Warning:cp_timed_blocker_handler: Handler info: Library [/opt/CPshrd-R80.30/lib/libResolver.so], Function offset [0x2b3d0].
[wsdnsd 32546]@vsxseso1-ext[20 Jan 14:32:07] Warning:cp_timed_blocker_handler: Handler info: Nearest symbol name [_Z10Sock_InputiPv], offset [0x2b3d0].

 

No, because I'd expect that implied rules (GW > TCP/UDP/53) could have taken care of that if the code noticed usage of FQDN and/or Updatable Objects in rulebase 🙂 Or at least better logs!

0 Kudos
Kaspars_Zibarts
Authority
Authority

Ok @_Val_  - you win! DOH moment!

We are talking about ancient CMA that was probably created and configured still in R65. So in Global properties the gateway traffic was set to be accepted on last rule... arghhhhh

image.png

I have checked more recent CMAs and those all are set to "Before last" by default.

I guess you still have to be careful in case you have multiple drop rules (i.e. we drop internal and external traffic differently) so then the best option would be setting it as "First" in our case or explicit rule.

Case closed! @Ilya_Yusupov gets the medal!

_Val_
Admin
Admin

@Kaspars_Zibarts I am happy it is all good now

0 Kudos
Network_Dude
Explorer

Thanks for the more detailed info on DNS based rules here. I just found this despite searches over the last 6 moths never resulting in such detailed info. 

I am still wondering like someone else was, about using FQDNs and either global traffic manager hosted sites with many IP addresses behind a A record along with short 30sec TTLs. as well as FQDNs hosted on a CDN like Akamai. There seems to be a strong possibility that the cache table in the gateway may not always match up with what the client device resolves the FQDN to. I see possibilities to deny some traffic you intended on permitting. 

Can you expand on these cases?

I do guess URL filtering looking for Host headers or SNI info would be a more reliable solution. 

0 Kudos