This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
phlrnnr
Advisor
‎2018-06-25 09:58 AM

R80.10 FQDN objects and CNAME/aliases

We have been using the new FQDN objects in R80.10 Mgmt/GW, and have been having some issues with them.  As we troubleshoot the rules that don't work, it seems that when the FQDN object resolves a CNAME/alias record, that the rule never gets hit.  It seems that when an A record is returned, it works fine.

An example: .crl.godaddy.com returns an alias for:

   crl.godaddy.com canonical name = gdcrl.godaddy.com.akadns.net.
   Name: gdcrl.godaddy.com.akadns.net
   Address: 50.63.243.228

However, the rule was never hit until I added a host object for 50.63.243.228. Unfortunately, that IP is very likely to change.

Is this expected behavior for dns-domain objects that resolve to a CNAME?  IF a CNAME, shouldn't the FW resolve the CNAME/alias to get the IP result to use in the FQDN object/ruleset?

In addition, are there any good command line tools I can use on the R80.10 GW to see what it is using for FQDN objects?  We have been finding these quite difficult to troubleshoot (although we LOVE the idea of these objects if they worked consistently!)

Thanks for any assistance you can provide!

6 Replies
Juan_Lobera
Contributor
‎2018-06-25 11:12 AM

Have you tried using non-fqdn objects?
The gateway will try to do reverse lookups for all subdomains.

Or you can use "godaddy.com.akadns.net" as domain and it will match the rule.

0 Kudos
phlrnnr
Advisor
‎2018-06-25 11:51 AM
In response to Juan_Lobera

I'd rather not use non-fqdn objects as they are inherently un-reliable, and are known to cause performance impact.

The problem with using "godaddy.com.akadns.net" is that if crl.godaddy.com is pointed at different A record, then the rule will break.

Atul_Mahadik
Explorer
‎2018-07-16 03:08 AM

hello All,

Just want to check for non-fqdn objects, DO I need to enable the application blade in the CheckpoingR80.10?

0 Kudos
Jerry
Mentor
Mentor
‎2018-07-31 07:26 AM
In response to Atul_Mahadik

no you don't have to

ps. FQDN and (A) record is a tricky part ... has happened to me couple of times especially with Office365 dynamic-object entries ...

Jerry
Raj_Khatri
Advisor
‎2019-05-14 06:26 AM
In response to Jerry

There is a whitepaper which has more detail on FQDN objects.  CNAME support looks to be supported in R80.20, but I don't see it documented anywhere else.  We are also looking forward to this support.

Whitepaper

0 Kudos
Meital_Natanson
Employee
Employee
‎2019-10-30 01:01 PM

Hi,

Please check the following:

1. Validate that DNS server is well defined on the GW

2. Run  'nslookup checkpoint.com' on the GW and make sure you get response

3. Run 'nslookup crl.godaddy.com' on the GW and make sure it returns you the IP you expect to (50.63.243.228)

4. Check that domains cache table is not empty: fw tab -t dns_reverse_cache_tbl

5. If all the above is true, check if you have another domain object that is resolved to the same IP address as the above? (sk145952)

 

Regarding command line tool - starting R80.20 GWs, domains_tool CLI is available for this purpose (sk161632).

 

Thanks,

Meital

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events