Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Linus_Espach
Participant

Domain-Object matching (exact) procedure

Dear CP,

according to your sk120633 (Domain-Objects) the Non-FQDN mode "... uses DNS reverse lookup (if the IP address is not already in cache)."

There is a example where you state that a Non-FQDN-object with

  • ".checkpoint.com"

would also match

  • "support.checkpoint.com" or
  • "community.checkpoint.com"

(as stated by reverse-looking up the IP)

Therefor I resolved both (using dig):

  • support.checkpoint.com -> support.us.checkpoint.com -> 209.87.209.88
  • community.checkpoint.com -> e1364.dscb.akamaiedge.net -> 23.203.123.111

So the client will, for example resolve the domains and get the above IP's.

The package arriving at the Firewall with the ".checkpoint.com" FQDN-object will now try to resolve these IP's, therefor:

  • 209.87.209.88 -> NX
  • 23.203.123.111 -> plenty x.arin.net.

Did I understand the procedure/technic correct? If yes, how should the FW be able to determine that these IP's are belonging to ".checkpoint.com" if it is either a NX-entry or plenty completely different entries?

Thanks for your help and best regards

Linus

0 Kudos
5 Replies
This widget could not be displayed.