This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2022-04-07 06:53 AM

Domain based objects - what is the solution

Hi All

We are getting more and more requests for adding firewalls rules in that go to domains that use cdn's or go to multiple different ip's etc.

This is causing us a real pain.

What can we do about this? can we use dns based objects? I know this used to cause issues a long time ago, has Checkpoint now got a better solution for this?

how should I solve it?

many thanks

0 Kudos
7 Replies
AaronCP
Advisor
Advisor
‎2022-04-07 12:24 PM

Hi @carl_t,

 

Are you already using Domain Objects (SK120633 ) in your rulebase? We are running R80.40 gateway & management with FQDN & non-FQDN domain objects in our rulebase and they work great.

 

Regardless of whether the domain resolves to one IP or multiple IPs, the gateway will allow the connection based on the IP of the DNS lookup from the domain objects.

Wolfgang
MVP Gold
MVP Gold
‎2022-04-07 12:52 PM

@carl_t Domain Objects are a really nice solution. But from my experience, never use none FQDN objects that‘s a real performance killer especially if you’re gateways are under attack. To check if a packet matches a rule with none FQDN object a reverse DNS request will be need. These slow down everything. I‘m surprised @AaronCP is happy with such a configuration.

There are a lot of additional objects to be used as dynamic sources or destinations. Have a look at @Kaspars_Zibarts nice presentation from CPX 360 Check Point “dynamic” Object Types & Typical Use Cases 

AaronCP
Advisor
Advisor
‎2022-04-07 02:10 PM
In response to Wolfgang

Hi @Wolfgang,

 

We have very few non-FQDN domain objects in our firewall, but you're right, having a lot of them would impact performance.

 

Thanks for the dynamic objects info - very useful!

the_rock
MVP Gold
MVP Gold
‎2022-04-07 02:29 PM
In response to AaronCP

From my experience, anything up to 200 is ok...more than that, could be a problem.

Best,
Andy
AaronCP
Advisor
Advisor
‎2022-04-07 02:33 PM
In response to the_rock

Thanks for the tip 🙂.

 

Is that non-FQDN you're referring to?

the_rock
MVP Gold
MVP Gold
‎2022-04-07 02:48 PM
In response to AaronCP

For you, no charge :). And yes, thats what I was referring to!

 

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-04-07 01:03 PM

I agree with the guys. The sk @AaronCP provided you is really good reference. I also use those for another customer and they never had a problem. 

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events