This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nima_Chogyal
Contributor
‎2023-11-15 09:34 PM

FQDN Objects

Hi,

So one of the banks gives access to only internal services from checkpoint and restricts internet surfing on some LANs.Previously they had a mail server that was in their local LAN and recently they migrated to google workspace. They bought the whole package where they will be using all the services that are given by google like gmail,google sheet etc. They want the LAN users to access only google workspace and restrict other traffic. I created quite alot of fqdn objects on the management server(R80.10) and installed the policy. 

It was working for a few minutes and as soon as the ip address to say google.com changes, the users cant access google workspace anymore. Its a ON and OFF thing. Not sure what the issue is, did everything as per the SK for FQDN. restarted the wsdns service aswell. The ip addresses of google seems to be changing and when it does ,google workspace is inaccessible aswell.

 

The only thing i didnt do is cpstop and cpstart/reboot the appliance.

The management server and the gateway cluster is running on R80.10.

 

Does anyone know what the issue is?

 

regards,

Nima

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2023-11-16 04:24 AM

R80.10 is End of Support and you should upgrade to a supported release (R81.20 being the most recent and recommended).
Allowing access to Google Workspace reliably should be done using App Control and with HTTPS Inspection.

0 Kudos
Nima_Chogyal
Contributor
‎2023-11-19 10:08 PM
In response to PhoneBoy

But is there a solution to the FQDN and the ever changing IP addresses for a single FQDNin R80.10?

As per the document it says it supports from r80.10.Customer has a internal DNS server. Is there anything that i have to do between the gateway and the DNS server?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-20 01:44 PM
In response to Nima_Chogyal

As indicated current versions may deal with this requirement better or a change in approach may be necessary.

See also: sk133313 / sk181215

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-20 02:17 PM
In response to Nima_Chogyal

The best solution I can suggest to what you indicated is using domain objects. Say, for argument's sake, the exact domain is https://app.bankxyz.com,  you can use below. What guys said is absolutely true, R80.10 is totally unsupported, BUT, to be blunt about it, if your customer cannot use app control or https inspection, even if they upgrade to R81.20, wont make the sligtest difference. Not to say they should not upgrade, R81.20 is super solid, but for now, I would stick with domain objects.

Andy

 

Screenshot_1.png

 

 

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-20 03:37 PM
In response to Nima_Chogyal

You can use non-FQDN objects as noted...if you know the exact FQDNs you will need to allow access to.
That is not practical to maintain and can be handled with an App Control signature.
For that to work right without HTTPS Inspection, you need to upgrade to a supported release that includes support for SNI: https://support.checkpoint.com/results/sk/sk163594

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-11-20 10:13 PM

@Nima_Chogyal blocking access to those type of cloud application with FQDN is not practical. That will be a never ending story hunting new IPs as a result of the fast changing of these IPs. Like @PhoneBoy wrote, use app control or myabe updatable objects to create your rules. All of the applications of googles workspace are available via app control and you can create rules based on them. We are using this to allow only some of the apps not all. This is working fine in our environment with enabled HTTPS inspection or SNI support and R81.20.

Here are a sample of googles applications and updatable objects available via SmartConsole to use in the rule base:

2023-11-21 07_02_20.png2023-11-21 07_11_41.png

0 Kudos
(1)
Nima_Chogyal
Contributor
‎2023-11-22 03:38 AM
In response to Wolfgang

The customer has fortigate on their network and it works with fqdn for fortigate gateways without a hitch.

So with https inspection enabled do i need to install the certificates on each of the machine for it to work or can i just put it in detect mode?

 

 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-22 03:41 AM
In response to Nima_Chogyal

Again there are enhancements in newer versions than you are running, so you're very likely comparing apple & oranges here.

Example:

sk161612: Domain Object Enhancement - DNS Passive Learning

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-28 01:34 PM
In response to Nima_Chogyal

HTTPS Inspection requires deploying CA certificates to clients.
This is only "necessary" as you are choosing to remain on R80.10 instead of upgrading to a supported release that has additional functionality that can be leveraged to meet this requirement instead of HTTPS Inspection.
Or, at the very least, you can get support if it's not working as expected.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events