- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Domain Objects on R80.10 allow three similar F...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Domain Objects on R80.10 allow three similar FQDNs
I want to allow three sites hosted by a well known cloud provider to be defined via Domain Objects in FQDN mode.
The sites are:
blog.cloudserviceco.com
aaa.cloudserviceco.com
tcl.cloudserviceco.com
Do I set these up as is or with a period (.) before each one. I do not want to use just .cloudserviceco.com unless this is the only way forward.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI All,
with regard to FQDN objects in a policy I want to use for example 3 hosts
a.cloudservice.com
b.cloudservice.com
c.cloudservice.com
Do I just add 3 domain objects as follows .a.cloudservice.com, b. cloudservice.com and .c.cloudservice.com with the period in front? if you do a nslookup of this it doesn't work so does Checkpoint treat this differently to remove the . ?
Thanks in advance
Alan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
running r80.40, if I configure a host for example .mail.google.com and add it to a policy I get the following error ".mail.google.com' can't be resolved to an ip address.
My firewall manager has dns configured and resolves names
I get the same error even with .google.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can the gateway resolve DNS names?
This is required on every gateway that is enforcing this policy.
Where precisely are you getting this error message?
Can you provide a screenshot?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it resolves dns names. I wonder if it is only a cosmetic issue before I install the policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have eventually installed the policy with that warning and it works for a FQDN entry for .checkpoint.com but it doesn't for .community.checkpoint.com. It doesn't match it which I think it is consistent with my understanding of the user guides. So I am a bit confused, you guys seem to expect that it should work for hostnames too
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FQDN == Fully Qualified Domain Name.
I suspect the issue is that:
- checkpoint.com resolves directly to an A record (i.e. an IP address)
- community.checkpoint.com resolves to a CNAME (i.e. an alias that, in this case, points to another alias, which points to multiple IP addresses)
I assume if you put the hostname that community.checkpoint.com ultimately resolves to, which is d2m0sklryvkyy2.cloudfront.net, that will work.
I did find one TAC case that suggests this should have been fixed at some point.
Please engage with the TAC, but meanwhile you can employ the above workaround (use the host the CNAME record ultimately resolves to).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just tested with .d2m0sklryvkyy2.cloudfront.net and it is not blocked.
I have tested with just a regular hostname webmail.domain.com that resolves to an unique ip and it is blocked.
So I guess that it may struggle with d2m0sklryvkyy2.cloudfront.net because it resolves to more than one ip.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should work in the other case as well, which suggests a bug.
A TAC case is definitely in order.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have upgraded to take 91 and it resolves the alias issue.
However I am facing a challenge that it may require a different approach.
I am tasting with "mail.google.com" that seems to present resolve different ips depending on your geolocation.
So I have different dns servers in the checkpoint servers and my test host that makes the http request. They both get different ips for mail.google.com.
Can checkpoint do anything with that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not much you can do in this case except to align the DNS servers used by the client and gateways.