Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
britt1kj
Explorer

FQDN: Domain vs Application

Little Background: I am Sys admin with a little Networking background. with a very junior network guy that I am helping with probably less experience than me on this topic 

Inherited a client with smart console r80.20...  

 

I have reviewed many of the suggestion on Domain Vs Application... I am missing something and in despreate need to get this functionality working as I need suse updates, azure backups, and SQL backups for my VM's.

I simply need to add *.opensuse.org, so I can get to  a.opensuse.org, b.opensuse.org, c,opensuse.org 

I've added a domain rule for .opensuse.org with FQDN unchecked - I tried both. 

 

I am still not able to telnet to any of the services or anything. 

What am I suppose to do to get all the subdomains added? 


Thank you very much in advance 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

There are two types of objects that are relevant here: FDQN Domain Objects and Custom Application/Site.
For a detailed discussion about this: https://community.checkpoint.com/t5/General-Topics/Domain-objects-FQDN-mode-vs-Custom-Applications-S...

While we support domain objects that allow *.somedomain.com, it relies on Reverse DNS (rarely works) and disables SecureXL templates (decreased performance).
In R80.40, assuming the DNS queries always go through the gateway, mappings can be learned passively by observing the DNS queries to the trusted DNS server.
That resolves the "Reverse DNS" problem with Domain Objects but not the performance issue, as far as I know.
See: https://community.checkpoint.com/t5/General-Topics/DNS-Passive-Learning-Design-Question/m-p/77213#M1...

All of this boils down to the following:
1. If the traffic is HTTP/HTTPS, you can use Custom Application/Sites.
2. If the traffic is anything else, Domain Objects should be used. Unless you are using R80.40 and DNS queries go through the gateway to a trusted DNS server, you will have to create an object for each FQDN to allow.
0 Kudos
britt1kj
Explorer

Okay, sounds good... Is there a guide to whitelisting through Custom Application/Sites 

I can see where to create but can't figure out where it applies to. 

 

 

0 Kudos
PhoneBoy
Admin
Admin

It comes down to having an explicit rule in your Access Policy that allows the desired traffic.
In the case of a Custom Application/Site, it means having a rule that uses the object you created as the Service/Application (note that it only applies to Web traffic).
In the case of a Domain Object, it means having a rule that uses the Domain Object as the destination and the relevant services listed in the rule.
0 Kudos
Maarten_Sjouw
Champion
Champion

The method we use is quite simple:
You create a Custom Category called Whitelist and one called Blacklist
You add a rule to the Application control policy that will allow traffic to the Whitelist category. and above it you add a rule that blocks the Blacklist category.,
Now when you need to add a custom Application/Site to the whitelist or blacklist, while creating it you just set the Category to the desired Whitelist or Bracklist.
Now when you push policy the newly added site is already added to the list and will be allowed/blocked accordingly.
Regards, Maarten
0 Kudos
britt1kj
Explorer

Thanks for the Reply! 

 

I have a simple Domain base rule section with an action Accept... I've published many times but no matter what I've I cannot telnet to any other sites.  Its getting blocked on our catch rules...


Very new with this appliance,  I appreciate your patience and understanding.  

0 Kudos
Maarten_Sjouw
Champion
Champion

Publish does not install the policy on your gateway!!
You need to click the Install Policy button, top left or when looking at the policy in the top in the middle.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events