stumbled on this sk162577 lately about non-FQDN Domain object causing "decrease the performance of the Security Gateway significantly" ...this sent my on my quest to eleminate non-FQDN Domain Objects in my rulebase...
to get rid of non-FQDN Domain Objects i used "Updatable Objects" like:
- Check Point Services
- Microsoft Updates - HTTPS bypass
but today i found this sk90401 which gives me the command:
fw ctl multik print_bl dns_reverse_unmatched_cache
The dns_reverse_unmatched_cache table keeps the IP addresses that are not matched to any of the domain objects in the policy (the table is filled only if you have at least one non-FQDN object in the policy).
...so according to this i use non-FQDN Domain objects...
so after a bit of research i found this nice command to list the content of "Updatabel Object" in another sk161632 :
domains_tool -uo "Microsoft Updates - HTTPS bypass"
and this gives the following output:
Domains name list for 'Microsoft Updates - HTTPS bypass':
[1] tsfe.trafficshaping.dsp.mp.microsoft.com
[2] *.delivery.mp.microsoft.com
[3] *.vortex-win.data.microsoft.com
[4] login.live.com
[5] settings-win.data.microsoft.com
[6] sls.update.microsoft.com
[7] update.microsoft.com
[8] *.update.microsoft.com
...even the "Check Point Services" hat *.maas.checkpoint.com in it!!!
so to sum it up:
DO NOT USE "Updatable Objects" because they will "decrease the performance of the Security Gateway significantly" (according to sk162577
@Checkpoint: why do you use non-FQDN in "Updatable Objects" ???!!