Nah, non-FQDN object stops acceleration and generally is rather ineffective as it will only permit one IP in case names resolves to multiple . This option should be banned haha

Good to know, thank you!

Is there documentation on the single IP usage and stopping of acceleration when using this "Non-FQDN" objects? Or was information you obtained from TAC?

- Mike 

Actually it's fairly well documented

Best Practices - Working with Domain Objects (Pre R80.10) 

SecureXL Mechanism 

Couldn't find about one IP issue, but we had to learn it hard way so we left donaid objects alone pre-R80.10

Please understand I am not trying debate but better understand the documentation here and possibly help others. I to want to be able to use domain objects and possible wildcards. 

One link you sent represents a "Pre R80.10" best practice on domain objects which I have always agreed to and obeyed by, Domain objects on any version R77.30 or below was NOT a good idea. Everything I have read, starting in R80.10 this was not applicable and fixed. 

Below is from sk120633 towards the bottom. 
   

The SecureXL link also references where conditions are met to not create an accepted template. Yet references "Rules that contain Domain Object" would not create an accelerated template, but states that its been resolved in R80.10 (bottom bullet)

Snippet from SecureXL Mechanism link:

All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations):

• Rule with service 'Any' (resolved in R75.40 and above)

• Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - click on "Edit..." - click on "Advanced..." button - refer to "Protocol Type:" field).
  Note: This setting can be changed only in SmartDashboard R7X and lower.

• Rules that contain Port range object (resolved in R75.40 and above).

• Rules that contain Time object (resolved in R80.10).

• Rules that contain Dynamic object (resolved in R80.10).

• Rules that contain Domain object (resolved in R80.10).

Good point Mike! I really don't have answer for that, I guess a better clarification would be useful. But just this note alone about reverse lookups would put me off in all honesty. I don't believe you would get accurate results with this approach

Note: some DNS servers do not support DNS reverse lookups or might not be fully updated with all reverse entries.

Also a good point Kaspars! I thought in R80.10 reverse DNS lookups were removed and only forward lookups were used. Good conversation!

I think the biggest talking point here is with cloud computing. I do not believe that AWS, for example, gives you the ability to create reverse DNS entries for any of your ELB, EC2, etc instances. They rely on the user adding a CNAME to make any host name to their owned domain (domain.com) look aesthetically pleasing. How would one using Check Point (rhetorical question) for a domain.com hosted within AWS with support.domain.com, community.domain.com etc. benefit from a Non-FQDN domain object where the IP cannot be defined? If one was to allow .domain.com but not want to allow all of AWS, all the underlying reverse entries for said AWS issued IP, 100.26.82.X for example, would look like this ec2-100-26-82-X.compute-1.amazonaws.com. If security was so strict that they did not want to allow .amazonaws.com domain object, how would this be accomplished? Would we need to define FQDN objects for each sub-domain we wanted our users to hit? I can see in the example this isn't an extreme admin overhead but what about instances where various companies use then a CDN, well say Akamai, all is good if we allow .amakaitechnologies.com, until said organization decides they want to switch CDN networks... 

Timothy Hall‌ Dameon Welch-Abernathy‌ Valeri Loukine‌ any insight as to how you are seeing users overcome these "reverse DNS" hurdles? 

- Mike 

Best not to rely on reverse DNS lookups, which have been problematic for a couple of decades now.

It's why we eventually reworked Domain objects to support forward DNS lookups. 

Thanks Dameon!

Can we assume that a FQDN object is a forward lookup and any Non-FQDN (un-tick the box) would be subject to a reverse DNS lookup?

Yes, this is how Domain objects worked prior to R80.10.

Note in the mode, the objects will not generate SecureXL templates.

Hey Mike, thought I'll follow up on this one as one of my admins eagerly created fifty odd "old style" FQDN objects and it resulted in DNS cache completely screwed up.. Acceleration still worked but it had all sorts of weird effects on rest of the traffic

So far it's been ok based on old info but I doubt it will last too long.. we did updates daily before

Ah - that was the reason for this thread. MS has stopped XML feed (we used that ourselves before) and changed it to REST. Which in itself would not be a problem but the main issue is that whole format has changed - some services are defined by FQDN only, some just by IP, some by both and some by domains with wildcards. And that's why it became tricky to implement in R80.10. Looks like R80.20 is the only option.. Unless CP ports the same functionality to R80.10

Will have to start new thread about R80.20 MDS and VSX experiences in real world

You might want to check MineMeld. Yes it is product from another vendor, but it is opensource product, which doesn't require licensing and it can be integrated with other vendors. There are some articles on how to deploy the MineMeld and also some useful how to create Office365 miners. The good news is that the miners are updated to work with the new REST service and the basic setup already return all IPv4, IPv6 and URLs used for any O365 product.

Having generated the feeds in Minemeld are you saying it is then possible to such these into R80.10? We have a Minemeld already and use it to feed out other firewall vendor devices but not Check Point yet as I didn't think it could.

If you're the one generating the feeds, you can generate them in { "name" : "Office365Group", "members" : { "add" : ["New Host 1", "New Host 2"]   } }  format and send it via POST to https://<Management Server IP>/web-api/v1.1/set-group

I want to make the argument that solving that o365 challenge is a compelling reason to upgrade. 

Kaspars Zibarts wrote:

Will have to start new thread about R80.20 MDS and VSX experiences in real world

Care to elaborate?

I just wanted to hear from those running R80.20 in larger networks, how's it going so far and if they would recommend to go ahead with MDS and VSX upgrades. That was all. Since we're sort of forced to rush it out earlier than we thought. I would normally want to wait till first jumbo is released.

Hi Kaspars

we upgrade JFH 154 to R80.10 VSX enabled gateways as advice by SE NZ here to take advantage of O365 dynamic objects but after applying the Hotfix Dynamic objects are still not supported. we open a TAC case and they informed us that Dynamic objects are only supported from R80.20 with a special Hotfix applied. that Hotfix was never applied in R80.10 environment and not GA for R80.10 yet. 

IT is really disappointment here R80.20 is recently launched and it may takes at least 6 month to becomes an stable version and fixed identified issues. Why CP R&D does not fixing this long waited issues in R80.10 which is not quite old yet.

i also don't understand why checkpoint continue being behind the technologies security needs for such a long time.

and again they are planing to do it as an "hard coded" so internal / custom uses of it may not be achieved.

Not entirely sure if I follow you - dynamic objects work absolutely fine on our VSX running R80.10 JHF 142

You probably meant updatable objects ? Then the only supported version is R80.20

But I can't agree more about "being so far behind" considering hoe long O365 and other cloud solutions have existed.

This was our old approach when XML existed and most services had IPs associated with them.

There are two issues now:

1) sometimes O365 client bypasses proxy settings and I have no idea why and no one has really come up with any reasonable answer. As a result you must have direct opening in the perimeter firewall

2) the new JSON list has some parts defined as FQDN with a wildcard and no IP, therefore it is impossible to cater for possible scenarios when proxy is bypassed and IP is not known upfront, for example

Yes, we still could keep scripting IP addresses from JSON lists but I believe it would make list incomplete.

1. This is interesting.  We were able to switch directly from XML to  new JSON published IPs without issue.

2. We are only paying attention to the IP.  With the Microsoft defined PAC file AND the IPs on the JSON, it should work just fine for normal client O365 traffic.

Great! Thanks for sharing that! Will try to follow up on that too! I guess the issue is that we don't use MS PAC file. Will dig into that

We integrated the MS PAC into ours, which says send all published MS IP space direct and everything else to the proxy.  Good luck!

Thought I can share my results  It seems to work nearly flawlessly as you suggested except 5 FQDNs that were meant to go via proxy (category is set to "Default" not optimized) but instead went directly from clients to MS. Still checking with our O365/client team why that would be the case

I was going to send you something in a DM, but apparently you need to be following me to do so...  If you want, follow me and I'll send my message.