This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
handiansudianto
Advisor
‎2023-08-22 01:30 AM
Jump to solution

Domain Object

Hello,

 

I make a test rule to allowing one server access to ww.detik.com, i create domain object with .detik.com

But i think the domain object is not working, the server still can't access to the www.detik.com, tick and untick the FQDN on the domain object not helping. 

Anyone know how about this?

 

 
 

 

 

 

Labels
0 Kudos
1 Solution

Accepted Solutions
Daniel_3
Contributor
‎2023-08-23 01:53 AM
In response to handiansudianto
Jump to solution

Restart of WSDNSD only impacts DNS resolution of the firewall itself and no other traffic. If you have multiple domain-objects and updatable objects I would do it outside of business hours (except if all of them don't work, then it does not matter).

If it is just this one domain you can do it any time.

View solution in original post

0 Kudos
14 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-08-22 01:44 AM
Jump to solution

As you do not show the rule created and the object in detail it is very hard to help here. Did you follow https://support.checkpoint.com/results/sk/sk120633 ? Also read https://support.checkpoint.com/results/sk/sk90401

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
handiansudianto
Advisor
‎2023-08-22 01:53 AM
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht 

 

yes l already follow the reference article, and here i send my rule

cp1.JPG

 

 

Ticked or not the rule is not working

cp2.JPG

 

 

 

 

 

 

 

 

Result :

CP3.JPG

 

 

 

 

cp4.JPG

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-08-22 02:16 AM
In response to handiansudianto
Jump to solution

And which rule does match and drop the traffic, cleanup rule ? Why do you use Any service for the rule ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
handiansudianto
Advisor
‎2023-08-22 05:39 PM
In response to G_W_Albrecht
Jump to solution

Yes the traffic dropped by cleanup rule. Since i only need the server access to some websites so i set the service as 'Any'.

It's wrong?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-22 06:40 AM
In response to handiansudianto
Jump to solution

Non-FQDN objects require the ability to reverse-resolve the IP address to the relevant domain.
FQDN objects require a forward lookup on the relevant FQDN.
Have you confirmed the gateway can actually do this?
See also: https://support.checkpoint.com/results/sk/sk161632 (to troubleshoot)
Maybe also see if the following will help: https://support.checkpoint.com/results/sk/sk161612 

0 Kudos
handiansudianto
Advisor
‎2023-08-22 05:44 PM
In response to PhoneBoy
Jump to solution

Hello,

Yes the gateway can do forward lookup.

cp5.JPG

When issuing command domain_tool -d www.detik.com i got 'Domain is not attached to any IP address'

cp6.JPG

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-23 12:17 PM
In response to handiansudianto
Jump to solution

Recommend engaging with the TAC here: https://help.checkpoint.com

0 Kudos
Daniel_3
Contributor
‎2023-08-23 12:09 AM
Jump to solution

Is the source IP of the server also correct?
Recent policy install was done too? - Can check with "fw stat" on gateway.

0 Kudos
handiansudianto
Advisor
‎2023-08-23 12:13 AM
In response to Daniel_3
Jump to solution

Hi..

yes, the policy already installed. Also i have another checkpoint and i do test by issuing 'domain_tool -d www.detik.com'

and this checkpoint showing ip address of detik.com but not for my 1st checkpoint.

0 Kudos
Daniel_3
Contributor
‎2023-08-23 01:07 AM
In response to handiansudianto
Jump to solution

Did you already try 'domains_tool -report' from sk161632?

0 Kudos
handiansudianto
Advisor
‎2023-08-23 01:12 AM
In response to Daniel_3
Jump to solution

i got 'WSDNSD and DNS servers are not synchronized' when issuing 'domains_tool -report'

This can be fixed by command below right? Will this command cause a downtime?

cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "fw kill wsdnsd"; cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd"

0 Kudos
Daniel_3
Contributor
‎2023-08-23 01:53 AM
In response to handiansudianto
Jump to solution

Restart of WSDNSD only impacts DNS resolution of the firewall itself and no other traffic. If you have multiple domain-objects and updatable objects I would do it outside of business hours (except if all of them don't work, then it does not matter).

If it is just this one domain you can do it any time.

0 Kudos
handiansudianto
Advisor
‎2023-08-23 06:09 PM
In response to Daniel_3
Jump to solution

After restarting the WSDNSD now the domain object is working, but i still have a question about object domain.

I want to make domain object for this URL

ussus1eastprod.blob.core.windows.net
ussus2eastprod.blob.core.windows.net
ussus3eastprod.blob.core.windows.net
ussus4eastprod.blob.core.windows.net
wsus1eastprod.blob.core.windows.net
wsus2eastprod.blob.core.windows.net

and i make domain object with name .blob.core.windows.net and FQDN not ticked. On my mind domain object .blob.core.windows.net can discover all URL above but when i check with command domains_tool -d blob.core.windows.net and i just only get one ip address. Did you know why?

 
 

 

 

Preview file
57 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-24 03:01 PM
In response to handiansudianto
Jump to solution

Because Domain Objects that aren't FQDN rely on reverse DNS to operate.
When I look up the IP I get for, e.g. wsus2eastprod.blob.core.windows.net, I get an NXDOMAIN (no record found) for the IP that it resolves to.
Recommend doing this with either a Custom Application/Site or put these hosts in a Network Feed in R81.20+.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events