This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2022-04-07 06:53 AM

Domain based objects - what is the solution

Hi All

We are getting more and more requests for adding firewalls rules in that go to domains that use cdn's or go to multiple different ip's etc.

This is causing us a real pain.

What can we do about this? can we use dns based objects? I know this used to cause issues a long time ago, has Checkpoint now got a better solution for this?

how should I solve it?

many thanks

0 Kudos
7 Replies
AaronCP
Collaborator
‎2022-04-07 12:24 PM

Hi @carl_t,

 

Are you already using Domain Objects (SK120633 ) in your rulebase? We are running R80.40 gateway & management with FQDN & non-FQDN domain objects in our rulebase and they work great.

 

Regardless of whether the domain resolves to one IP or multiple IPs, the gateway will allow the connection based on the IP of the DNS lookup from the domain objects.

Wolfgang
Mentor
Mentor
‎2022-04-07 12:52 PM

@carl_t Domain Objects are a really nice solution. But from my experience, never use none FQDN objects that‘s a real performance killer especially if you’re gateways are under attack. To check if a packet matches a rule with none FQDN object a reverse DNS request will be need. These slow down everything. I‘m surprised @AaronCP is happy with such a configuration.

There are a lot of additional objects to be used as dynamic sources or destinations. Have a look at @Kaspars_Zibarts nice presentation from CPX 360 Check Point “dynamic” Object Types & Typical Use Cases 

AaronCP
Collaborator
‎2022-04-07 02:10 PM
In response to Wolfgang

Hi @Wolfgang,

 

We have very few non-FQDN domain objects in our firewall, but you're right, having a lot of them would impact performance.

 

Thanks for the dynamic objects info - very useful!

the_rock
Champion
Champion
‎2022-04-07 02:29 PM
In response to AaronCP

From my experience, anything up to 200 is ok...more than that, could be a problem.

AaronCP
Collaborator
‎2022-04-07 02:33 PM
In response to the_rock

Thanks for the tip 🙂.

 

Is that non-FQDN you're referring to?

the_rock
Champion
Champion
‎2022-04-07 02:48 PM
In response to AaronCP

For you, no charge :). And yes, thats what I was referring to!

 

Andy

0 Kudos
the_rock
Champion
Champion
‎2022-04-07 01:03 PM

I agree with the guys. The sk @AaronCP provided you is really good reference. I also use those for another customer and they never had a problem.