Checkpoint Domain Object - 91Sec

Latest

91Sec

Learning, Sharing, Creating

Monday, November 21, 2011

Checkpoint Domain Object

Was thinking to use Domain Object as a source in our firewall rule. After consulted with checkpoint support, it seems impossible if your domain object represented multiple ip addresses.

SK42128

Symptoms

    Rules containing a Domain object will only resolve to one of the associated IP addresses, causing request for a site not to return a web page. 

Cause

A Domain object resolves a domain name by the first IP Address that appears when running the nslookup command.

Solution

Use domain objects for domains that, when the nslookup command is used, resolve only to one IP address.
It can not be used with domain names that are resolved to multiple IP addresses.

-----------------------------

Also SK41632 explained a little bit how Domain object works includes following best practice rules:

"Rules of thumb: 

  • Avoid using domain objects, if you can.

  • Place them as deep in the rulebase, as you can, to maximize the chance that a given packet will hit a rule that uses a network object, before falling to the domain object.

  • Construct rules above the domain object, in such a way, as to catch as much traffic, as you can, before falling through to the domain object."

The most important one is put domain object as deep as you can to reduce latency caused by reverse name resolution.


Read more

Subscribe via email

Author Image

About Netsec
Netsec - Learning, Sharing, Creating!

By -
Tags:

5 comments:

  1. AnonymousFebruary 1, 2014 at 6:08 AM

    Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest
    twitter updates. I've been looking for a plug-in like this
    for quite some time and was hoping maybe you would have some experience with something like this.

    Please let me know if you run into anything.
    I truly enjoy reading your blog and I look forward
    to your new updates.

    Feel free to visit my homepage ... massage supplies

    ReplyDelete
  2. AnonymousFebruary 1, 2014 at 8:03 AM

    Howdy would you mind letting me know which web host you're using?
    I've loaded your blog in 3 completely different web
    browsers and I must say this blog loads a lot quicker then most.

    Can you recommend a good internet hosting provider at a reasonable
    price? Thanks a lot, I appreciate it!

    Here is my homepage: massage asmr

    ReplyDelete
  3. AnonymousFebruary 2, 2014 at 3:38 AM

    Every weekend i used to pay a visit this web site, as i want
    enjoyment, as this this website conations really nice funny information too.


    Here is my web site: relaxing massage for cats; ,

    ReplyDelete
  4. AnonymousFebruary 2, 2014 at 12:25 PM

    This is a topic that's near to my heart... Cheers!
    Exactly where are your contact details though?

    Feel free to visit my web site; laser hair removal experience

    ReplyDelete
  5. AnonymousFebruary 3, 2014 at 5:23 AM

    What's up to every body, it's my first pay a quick visit of this blog; this web site includes awesome
    and really fine stuff in favor of readers.

    Look at my web blog - Relaxing Massage Joondalup

    ReplyDelete

Subscribe to: Post Comments (Atom)

Banner

BANNER 728X90