Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
carl_t
Contributor

Domain based objects - what is the solution

Hi All

We are getting more and more requests for adding firewalls rules in that go to domains that use cdn's or go to multiple different ip's etc.

This is causing us a real pain.

What can we do about this? can we use dns based objects? I know this used to cause issues a long time ago, has Checkpoint now got a better solution for this?

how should I solve it?

many thanks

0 Kudos
7 Replies
AaronCP
Collaborator

Hi @carl_t,

 

Are you already using Domain Objects (SK120633 ) in your rulebase? We are running R80.40 gateway & management with FQDN & non-FQDN domain objects in our rulebase and they work great.

 

Regardless of whether the domain resolves to one IP or multiple IPs, the gateway will allow the connection based on the IP of the DNS lookup from the domain objects.

Wolfgang
Mentor
Mentor

@carl_t Domain Objects are a really nice solution. But from my experience, never use none FQDN objects that‘s a real performance killer especially if you’re gateways are under attack. To check if a packet matches a rule with none FQDN object a reverse DNS request will be need. These slow down everything. I‘m surprised @AaronCP is happy with such a configuration.

There are a lot of additional objects to be used as dynamic sources or destinations. Have a look at @Kaspars_Zibarts nice presentation from CPX 360 Check Point “dynamic” Object Types & Typical Use Cases 

AaronCP
Collaborator

Hi @Wolfgang,

 

We have very few non-FQDN domain objects in our firewall, but you're right, having a lot of them would impact performance.

 

Thanks for the dynamic objects info - very useful!

the_rock
Champion
Champion

From my experience, anything up to 200 is ok...more than that, could be a problem.

AaronCP
Collaborator

Thanks for the tip 🙂.

 

Is that non-FQDN you're referring to?

the_rock
Champion
Champion

For you, no charge :). And yes, thats what I was referring to!

 

Andy

0 Kudos
the_rock
Champion
Champion

I agree with the guys. The sk @AaronCP provided you is really good reference. I also use those for another customer and they never had a problem.