This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mrkcmo
Explorer
‎2021-10-28 07:30 AM

FQDN vs Custom Application: Resource Usage

Quick question(s) for those experts out here on the forum!

 I have a question regarding resource usage on the security gateways when using different construct on firewall rules. Here is my scenario and my questions related to it.

First question:

If I have a firewall rules that is matching on FQDN ( via DNS lookup) and want to over it from FQDN to a regex based FQDN match I believe that requires me to make the rule an custom application rule to use the regex matching on the URI in the header. Is this a correct statement or is there a way to use regex on an FQDN rule without using a custom application?

Second question:

What would be the expected impact to CPU/Memory in using FQDN vs Custom Application if there is any?

Third question:

I assume when using a FQDN rule match that the header is being read in full. Does the HTTP/HTTPS inspection for the Custom Application just ready the header as well or is it more in-depth assuming it can read the encrypted payload?

 

Thanks for the expertise and time in answering these questions!

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-10-30 04:38 PM

You have it right regarding Custom Applications versus FDQN Domain Objects.
Some discussion on this from a while back: https://community.checkpoint.com/t5/General-Topics/The-difference-between-checkpoint-creation-domain...

If you're not already running one of the Threat Prevention Blades or App Control/URLF, then there will be a performance hit enabling App Control and/or URLF to implement a Custom Application/Site.
Otherwise, shouldn't be much of a difference.

Where HTTPS Inspection comes into play is for the Custom Application/Site...to parse the Host: header or the URL. 

(1)
mrkcmo
Explorer
‎2021-10-31 07:02 AM
In response to PhoneBoy

Thanks for the reply! That helps me understand the technology and process behind the two methods. By chance is there a published flowchart of the decision tree for these two types of rules? IE one that details the flow of the packet and the decision tree for the different processes within each flow?

0 Kudos
mrkcmo
Explorer
‎2021-10-31 07:10 AM
In response to mrkcmo

I found this one after some light searching...it's from 2018 but I am guessing it might still be relevant.

https://community.checkpoint.com/t5/General-Topics/R81-x-Security-Gateway-Architecture-Logical-Packe...

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-31 07:40 PM
In response to mrkcmo

It's definitely still relevant and Heiko is updating it periodically.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-10-31 10:17 AM

  1. If you're using regular expressions, you no longer have a fully-qualified domain name, do you? 😉
  2. Not sure about CPU/memory impact, but for custom application/site objects, the connection is generally allowed until the TLS certificate exchange or the HTTP GET. Bear in mind some traffic would be allowed before the firewall can figure out what site it is the client is trying to reach.
  3. FQDN objects resolve their names to IP addresses, which are then stored in a small database table. When rule processing hits a rule with an FQDN in it, the table is consulted, rather like how dynamic objects work. They don't need to look at anything in the TLS negotiation or HTTP header.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events