- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
I want to allow three sites hosted by a well known cloud provider to be defined via Domain Objects in FQDN mode.
The sites are:
blog.cloudserviceco.com
aaa.cloudserviceco.com
tcl.cloudserviceco.com
Do I set these up as is or with a period (.) before each one. I do not want to use just .cloudserviceco.com unless this is the only way forward.
HI All,
with regard to FQDN objects in a policy I want to use for example 3 hosts
a.cloudservice.com
b.cloudservice.com
c.cloudservice.com
Do I just add 3 domain objects as follows .a.cloudservice.com, b. cloudservice.com and .c.cloudservice.com with the period in front? if you do a nslookup of this it doesn't work so does Checkpoint treat this differently to remove the . ?
Thanks in advance
Alan
running r80.40, if I configure a host for example .mail.google.com and add it to a policy I get the following error ".mail.google.com' can't be resolved to an ip address.
My firewall manager has dns configured and resolves names
I get the same error even with .google.com
Can the gateway resolve DNS names?
This is required on every gateway that is enforcing this policy.
Where precisely are you getting this error message?
Can you provide a screenshot?
I have eventually installed the policy with that warning and it works for a FQDN entry for .checkpoint.com but it doesn't for .community.checkpoint.com. It doesn't match it which I think it is consistent with my understanding of the user guides. So I am a bit confused, you guys seem to expect that it should work for hostnames too
FQDN == Fully Qualified Domain Name.
I suspect the issue is that:
I assume if you put the hostname that community.checkpoint.com ultimately resolves to, which is d2m0sklryvkyy2.cloudfront.net, that will work.
I did find one TAC case that suggests this should have been fixed at some point.
Please engage with the TAC, but meanwhile you can employ the above workaround (use the host the CNAME record ultimately resolves to).
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY