- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi All
We are getting more and more requests for adding firewalls rules in that go to domains that use cdn's or go to multiple different ip's etc.
This is causing us a real pain.
What can we do about this? can we use dns based objects? I know this used to cause issues a long time ago, has Checkpoint now got a better solution for this?
how should I solve it?
many thanks
Hi @carl_t,
Are you already using Domain Objects (SK120633 ) in your rulebase? We are running R80.40 gateway & management with FQDN & non-FQDN domain objects in our rulebase and they work great.
Regardless of whether the domain resolves to one IP or multiple IPs, the gateway will allow the connection based on the IP of the DNS lookup from the domain objects.
@carl_t Domain Objects are a really nice solution. But from my experience, never use none FQDN objects that‘s a real performance killer especially if you’re gateways are under attack. To check if a packet matches a rule with none FQDN object a reverse DNS request will be need. These slow down everything. I‘m surprised @AaronCP is happy with such a configuration.
There are a lot of additional objects to be used as dynamic sources or destinations. Have a look at @Kaspars_Zibarts nice presentation from CPX 360 Check Point “dynamic” Object Types & Typical Use Cases
Hi @Wolfgang,
We have very few non-FQDN domain objects in our firewall, but you're right, having a lot of them would impact performance.
Thanks for the dynamic objects info - very useful!
From my experience, anything up to 200 is ok...more than that, could be a problem.
Thanks for the tip 🙂.
Is that non-FQDN you're referring to?
For you, no charge :). And yes, thats what I was referring to!
Andy
I agree with the guys. The sk @AaronCP provided you is really good reference. I also use those for another customer and they never had a problem.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY