Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Cypress
Contributor

Allow a star dot domain

Quick question, what is the best way to allow a *.domain in Check Point?  I know you can create a Domain Object, and if you check the box for FQDN mode, then the gateway queries the FQDN hostname you enter for the object, and whatever IP Addresses it returns, it caches those and treats traffic to/from those IPs as matching the Domain Object.  If you leave FQN unchecked, you can enter a whole domain, but what the Gateway does is reverse lookup the IP Address of the traffic, and if the PTR record from the reverse lookup matches the domain name you specify in the object, then the traffic is treated as matching that object.

The problem with that is, most orgs don't populate PTR records.  Also anything hosted in Azure, AWS, or other public clouds will usually have a PTR record associated with the cloud provider, and not of the customer domain.

In other words, using the Domain Object without FQDN toggled is not really a good way to allow a *.domain.

You can do a Custom Site URL list, but my understanding is this is used by the URL filtering blade, requires SSL inspection, and may not work in a security rule, such as "allow port 1234 to *.domain" as the customer is requesting.

What other best practices or recommendations exist to accomplish the above?

0 Kudos
3 Replies
the_rock
Legend
Legend

I made it work before without ssl inspection. Just make sure urlf blade is on, appc as well preferable, and enable url blade in policy layer editor. I always follow this logic...say you want to block anything tiktok, I just create custom app site and add *tiktok*

Install policy, test. Only downside is that obviously without ssl inspection, there is no further checking if page is blocked, plus block page is non-existant, which can confuse users.

Andy

0 Kudos
PhoneBoy
Admin
Admin

R81.20 and Network Feeds.
Make sure you can leverage Passive DNS learning also: https://support.checkpoint.com/results/sk/sk161612 

0 Kudos
Bob_Zimmerman
Authority
Authority

Custom Application/Site objects do require the firewall have URL Filtering enabled, but they don't require HTTPS Inspection to be enabled. Instead, go to Manage & Settings > Blades > Application Control & URL Filtering > Advanced Settings > General > URL Filtering and make sure "Categorize HTTPS websites" is checked. That allows matching HTTPS connections without HTTPS Inspection.

From there, you just need to make an object to match the site. I spent some time about a year ago figuring out how Check Point's matching expressions work and posted my findings here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events