This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cypress
Contributor
‎2024-05-16 06:19 PM

Allow a star dot domain

Quick question, what is the best way to allow a *.domain in Check Point?  I know you can create a Domain Object, and if you check the box for FQDN mode, then the gateway queries the FQDN hostname you enter for the object, and whatever IP Addresses it returns, it caches those and treats traffic to/from those IPs as matching the Domain Object.  If you leave FQN unchecked, you can enter a whole domain, but what the Gateway does is reverse lookup the IP Address of the traffic, and if the PTR record from the reverse lookup matches the domain name you specify in the object, then the traffic is treated as matching that object.

The problem with that is, most orgs don't populate PTR records.  Also anything hosted in Azure, AWS, or other public clouds will usually have a PTR record associated with the cloud provider, and not of the customer domain.

In other words, using the Domain Object without FQDN toggled is not really a good way to allow a *.domain.

You can do a Custom Site URL list, but my understanding is this is used by the URL filtering blade, requires SSL inspection, and may not work in a security rule, such as "allow port 1234 to *.domain" as the customer is requesting.

What other best practices or recommendations exist to accomplish the above?

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2024-05-16 06:30 PM

I made it work before without ssl inspection. Just make sure urlf blade is on, appc as well preferable, and enable url blade in policy layer editor. I always follow this logic...say you want to block anything tiktok, I just create custom app site and add *tiktok*

Install policy, test. Only downside is that obviously without ssl inspection, there is no further checking if page is blocked, plus block page is non-existant, which can confuse users.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-16 07:42 PM

R81.20 and Network Feeds.
Make sure you can leverage Passive DNS learning also: https://support.checkpoint.com/results/sk/sk161612 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-05-17 06:51 AM

Custom Application/Site objects do require the firewall have URL Filtering enabled, but they don't require HTTPS Inspection to be enabled. Instead, go to Manage & Settings > Blades > Application Control & URL Filtering > Advanced Settings > General > URL Filtering and make sure "Categorize HTTPS websites" is checked. That allows matching HTTPS connections without HTTPS Inspection.

From there, you just need to make an object to match the site. I spent some time about a year ago figuring out how Check Point's matching expressions work and posted my findings here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events