Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Exonix
Advisor
Jump to solution

Domain Name based rule doesn't work

Hello everyone,

there are serveral gateways 80.40. I've configured some policies with Domain Names. Almost on all FW it works, but doesn't work on one Gateway. It is resolved by gateway, but does not pass through the FW. What is wrong and how to fix it? Thank you!

log1.png

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Rafal_N
Contributor

Have You been trying Updateable objects?? From my experience it works much more deterministic then working with DomainName object for MS.

 

MS_Azure_Updateble.png

 

Also you can list or check what domain or what ip object is included using domains_tool:

domain_tool.png

View solution in original post

7 Replies
PhoneBoy
Admin
Admin

Tick the FQDN box on that object.
Otherwise, it's a classic Domain object, which actually requires reverse DNS resolution of the IP address(es) in question.
Those IP addresses do not have a reverse DNS entry, at least as far as I know.

Exonix
Advisor

Hello @PhoneBoy 

thank you for your answer. It did help, but only for some names:

Test-NetConnection -ComputerName mscrl.microsoft.com -port 80
ComputerName : mscrl.microsoft.com
RemoteAddress : 152.199.19.160
RemotePort : 80
InterfaceAlias : Ethernet0
SourceAddress : 192.168.30.4
TcpTestSucceeded : True

But here is still doesn't work:

Test-NetConnection -ComputerName crl.microsoft.com -port 80
WARNING: TCP connect to (87.123.248.82 : 80) failed
WARNING: TCP connect to (87.123.248.32 : 80) failed
WARNING: Ping to 87.123.248.82 failed with status: TimedOut
WARNING: Ping to 87.123.248.32 failed with status: TimedOut

ComputerName : crl.microsoft.com
RemoteAddress : 87.123.248.82
RemotePort : 80
InterfaceAlias : Ethernet0
SourceAddress : 192.168.30.4
PingSucceeded : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False

 

from my home PC it works:

Test-NetConnection -ComputerName crl.microsoft.com -port 80
ComputerName : crl.microsoft.com
RemoteAddress : 89.27.241.11
RemotePort : 80
InterfaceAlias : Ethernet
SourceAddress : 192.168.178.112
TcpTestSucceeded : True

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Further to @PhoneBoy suggestion are all gateways running the same JHF level, are the clients also using the same DNS as the gateway?

CCSM R77/R80/ELITE
Exonix
Advisor

Hello @Chris_Atkinson ,

thank you for your answer. Yes, all gateways are the same. We have updated them recently.

No, the clients and gateways are using different DNS, but this isn't a problem for the other gateways

0 Kudos
PhoneBoy
Admin
Admin

These objects only work properly if the DNS servers used by the clients and gateway produce the exact same results.
The easiest way to ensure this is to have the gateways and clients use the same DNS resolver.

0 Kudos
Rafal_N
Contributor

Have You been trying Updateable objects?? From my experience it works much more deterministic then working with DomainName object for MS.

 

MS_Azure_Updateble.png

 

Also you can list or check what domain or what ip object is included using domains_tool:

domain_tool.png

Exonix
Advisor

thank you! this is the easiest way!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events