This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nemezis_rock
Contributor
‎2023-08-15 01:00 PM

Domain object FQDN not matching properly

Hi dears,

R81.10 JHT 109

A month ago I was testing Reverse Proxy usage. And it worked great with Access Policy.

My test Reverse Proxy rules were like this:

rule1 |  https://test1.domain.example/ -> http://192.168.10.10/
rule2 |  https://test2.domain.example/ -> http://192.168.20.20/

Test Security Access Rules were:

AccRule1
Source: ExternalIP1
Dst: .test1.domain.example (Domain Object FQDN)
Service: HTTPS
Action: Accept

AccRule2
Source: ExternalIP2
Dst: .test2.domain.example (Domain Object FQDN)
Service: HTTPS
Action: Accept

And it worked fine that time! ExternalIP1 was accessing .test1.domain.example and couldnt access to .test2.domain.example. All other external requests to my domain were dropping by cleanup rule.

But now Firewall stopped matching FQDNs. When ExternalIP1 is connecting to .test2.domain.example it passess traffic via AccRule1 and according to Logs destination shown as .test1.domain.example. It is not resolving FQDN. 

Any suggestions?

Thanks in advance.

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2023-08-15 02:56 PM

Have you done any troubleshooting with the domains tool?
See: https://support.checkpoint.com/results/sk/sk161632 

0 Kudos
nemezis_rock
Contributor
‎2023-08-15 03:21 PM
In response to PhoneBoy

Hi,

Domain Object is resolving fine. 

domains_tool -report - gave just Undefined DNS servers found.

The issue is that Firewall blade matching FQDN of second.domain.example as first.domain.example. It sees not as second.domain but as first.domain.example - in Logs. First Access Rule contains first.domain.example. And even if there is no access rule for the second.domain.example but Reverse Proxy rule exists, request to second domain passess Firewall as Dst:first.domain.example and then goes to RProxy rule)

So I am a bit confused. It was working fine while testing. But now it just wont.

Look at the screenshot:

rpx.png

Access rule has only one service (8001) that's hidden behind RProxy and first FQDN but it forwards it to two services (8001 and 8003) because the second FQDN recognized as first and passed to PRoxy rule for 8003 service.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-16 08:58 AM
In response to nemezis_rock

When you say Reverse Proxy, you mean this functionality?
https://support.checkpoint.com/results/sk/sk110348

Regardless, you’ll probably need to consult with the TAC on this: https://help.checkpoint.com

0 Kudos
nemezis_rock
Contributor
‎2023-08-16 10:42 PM
In response to PhoneBoy

I've opened ticket, thanks.

Maybe it is a bug.

I will share if CP team will give me the solution.

0 Kudos
Wolfgang
Authority
Authority
‎2023-08-16 11:28 PM

@nemezis_rock this looks like a follow up of your formerly post https://community.checkpoint.com/t5/Security-Gateways/Implied-Rules-accepting-HTTP-HTTPS-traffic-How... Please have a look at my last comment.

Does test2.domain.example and test1.domain.example resolve via DNS to the same IP address ? (Should be, because you want to forward these via Reverseproxy)

If yes, you see expected behaviour, because the gateways handles the rule with an domain-object with the DNS resolved IP address and not the FQDN or  URL.

0 Kudos
nemezis_rock
Contributor
‎2023-08-17 02:25 AM
In response to Wolfgang

The point is that it was working fine while testing.

Firewall blade saw two FQDNs perfectly. I've created two domain objects pointed to the same GW-Extrernal address. 

I found Logs especially for you)

fqdn1.png

Two separate external sources - .199 and .66. Look on the Access Rule number. One source goes through rule 5 and another through rule 4.

And here are logs which shows that fqdns is matching perfectly. Firewall blade sees every FQDN:

fqdn2.pngfqdn3.png

Now you see that Firewall Blade saw every FQDN (test123 and asdasd) perfectly even if they were pointed to the same IP .30.

That is my problem. Firewall Blade forgot how to do it)

By your logic, logs must show only one fqdn, and acces only via one rule. That is happening now. But back then... So i think we have to remind Firewall how to do it.

the_rock
Legend
Legend
‎2023-08-17 05:41 AM
In response to nemezis_rock

I read all your responses and they all seem 100% logical to me. Let us know what TAC says.

Andy

0 Kudos
Wolfgang
Authority
Authority
‎2023-08-17 06:53 AM
In response to nemezis_rock

@nemezis_rock I think the different log entries are an result of the name resolution in SmartDashboard or/and logserver.

But again, if both FQDNs points to the same IP address I'm pretty sure you can't achieve this way what you want.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events