This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2022-07-26 07:44 AM
Jump to solution

Domain Name based rule doesn't work

Hello everyone,

there are serveral gateways 80.40. I've configured some policies with Domain Names. Almost on all FW it works, but doesn't work on one Gateway. It is resolved by gateway, but does not pass through the FW. What is wrong and how to fix it? Thank you!

log1.png

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Rafal_N
Contributor
‎2022-07-27 07:24 AM
In response to Exonix
Jump to solution

Have You been trying Updateable objects?? From my experience it works much more deterministic then working with DomainName object for MS.

 

MS_Azure_Updateble.png

 

Also you can list or check what domain or what ip object is included using domains_tool:

domain_tool.png

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2022-07-26 08:42 AM
Jump to solution

Tick the FQDN box on that object.
Otherwise, it's a classic Domain object, which actually requires reverse DNS resolution of the IP address(es) in question.
Those IP addresses do not have a reverse DNS entry, at least as far as I know.

Exonix
Advisor
‎2022-07-26 09:39 AM
In response to PhoneBoy
Jump to solution

Hello @PhoneBoy 

thank you for your answer. It did help, but only for some names:

Test-NetConnection -ComputerName mscrl.microsoft.com -port 80
ComputerName : mscrl.microsoft.com
RemoteAddress : 152.199.19.160
RemotePort : 80
InterfaceAlias : Ethernet0
SourceAddress : 192.168.30.4
TcpTestSucceeded : True

But here is still doesn't work:

Test-NetConnection -ComputerName crl.microsoft.com -port 80
WARNING: TCP connect to (87.123.248.82 : 80) failed
WARNING: TCP connect to (87.123.248.32 : 80) failed
WARNING: Ping to 87.123.248.82 failed with status: TimedOut
WARNING: Ping to 87.123.248.32 failed with status: TimedOut

ComputerName : crl.microsoft.com
RemoteAddress : 87.123.248.82
RemotePort : 80
InterfaceAlias : Ethernet0
SourceAddress : 192.168.30.4
PingSucceeded : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False

 

from my home PC it works:

Test-NetConnection -ComputerName crl.microsoft.com -port 80
ComputerName : crl.microsoft.com
RemoteAddress : 89.27.241.11
RemotePort : 80
InterfaceAlias : Ethernet
SourceAddress : 192.168.178.112
TcpTestSucceeded : True

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-07-26 08:51 AM
Jump to solution

Further to @PhoneBoy suggestion are all gateways running the same JHF level, are the clients also using the same DNS as the gateway?

CCSM R77/R80/ELITE
Exonix
Advisor
‎2022-07-26 09:41 AM
In response to Chris_Atkinson
Jump to solution

Hello @Chris_Atkinson ,

thank you for your answer. Yes, all gateways are the same. We have updated them recently.

No, the clients and gateways are using different DNS, but this isn't a problem for the other gateways

0 Kudos
PhoneBoy
Admin
Admin
‎2022-07-26 11:25 AM
In response to Exonix
Jump to solution

These objects only work properly if the DNS servers used by the clients and gateway produce the exact same results.
The easiest way to ensure this is to have the gateways and clients use the same DNS resolver.

0 Kudos
Rafal_N
Contributor
‎2022-07-27 07:24 AM
In response to Exonix
Jump to solution

Have You been trying Updateable objects?? From my experience it works much more deterministic then working with DomainName object for MS.

 

MS_Azure_Updateble.png

 

Also you can list or check what domain or what ip object is included using domains_tool:

domain_tool.png

Exonix
Advisor
‎2022-08-04 07:58 AM
In response to Rafal_N
Jump to solution

thank you! this is the easiest way!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events