Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mrkcmo
Explorer

FQDN vs Custom Application: Resource Usage

Quick question(s) for those experts out here on the forum!

 I have a question regarding resource usage on the security gateways when using different construct on firewall rules. Here is my scenario and my questions related to it.

First question:

If I have a firewall rules that is matching on FQDN ( via DNS lookup) and want to over it from FQDN to a regex based FQDN match I believe that requires me to make the rule an custom application rule to use the regex matching on the URI in the header. Is this a correct statement or is there a way to use regex on an FQDN rule without using a custom application?

Second question:

What would be the expected impact to CPU/Memory in using FQDN vs Custom Application if there is any?

Third question:

I assume when using a FQDN rule match that the header is being read in full. Does the HTTP/HTTPS inspection for the Custom Application just ready the header as well or is it more in-depth assuming it can read the encrypted payload?

 

Thanks for the expertise and time in answering these questions!

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You have it right regarding Custom Applications versus FDQN Domain Objects.
Some discussion on this from a while back: https://community.checkpoint.com/t5/General-Topics/The-difference-between-checkpoint-creation-domain...

If you're not already running one of the Threat Prevention Blades or App Control/URLF, then there will be a performance hit enabling App Control and/or URLF to implement a Custom Application/Site.
Otherwise, shouldn't be much of a difference.

Where HTTPS Inspection comes into play is for the Custom Application/Site...to parse the Host: header or the URL. 

(1)
mrkcmo
Explorer

Thanks for the reply! That helps me understand the technology and process behind the two methods. By chance is there a published flowchart of the decision tree for these two types of rules? IE one that details the flow of the packet and the decision tree for the different processes within each flow?

0 Kudos
mrkcmo
Explorer

I found this one after some light searching...it's from 2018 but I am guessing it might still be relevant.

https://community.checkpoint.com/t5/General-Topics/R81-x-Security-Gateway-Architecture-Logical-Packe...

 

0 Kudos
PhoneBoy
Admin
Admin

It's definitely still relevant and Heiko is updating it periodically.

0 Kudos
Bob_Zimmerman
Advisor

  1. If you're using regular expressions, you no longer have a fully-qualified domain name, do you? 😉
  2. Not sure about CPU/memory impact, but for custom application/site objects, the connection is generally allowed until the TLS certificate exchange or the HTTP GET. Bear in mind some traffic would be allowed before the firewall can figure out what site it is the client is trying to reach.
  3. FQDN objects resolve their names to IP addresses, which are then stored in a small database table. When rule processing hits a rule with an FQDN in it, the table is consulted, rather like how dynamic objects work. They don't need to look at anything in the TLS negotiation or HTTP header.
0 Kudos