Edge not working with domain objects?

[Carsten]

Hello all,

Today I experienced a strange behaviour with a Checkpoint Edge, used as a LAN firewall to separate a small network, it is administrated via Smart Center R65 HFA 02.
I put a rule "allow all" in it and everything was allowed. Then I began to put some rules above, everything still worked as expected. There are a few roaming users who have to connect into this network, so I created them as a domain object (only FQDN) and not as a host object (IP address) and granted them access.
And this was when it became really strange. There are only rules in the ruleset which allow something. If I disable the rule with the domain objects in it, then everything works as expected, but if I enable it absolutely no traffic is allowed and nothing is logged anymore. So the Edge behaves as if there was only one rule which is drop everything and do not log it.

If the Edges are incompatible with domain objects, it would be a pity though I could live with it, but at least I would have wished to get an information when verifiying the policy.

Does anybody have an idea how to get domain objects working on Edges, or is it impossible by design?

Thanks in advance

Carsten

[msjouw]

Carsten,

Please keep in mind that Edge devices have a limited support, I once had an FTP service on a non standard port 61234 that some developers setup, the data traffic was dropped as the Edge does not support services on other posrts than standard. So it does not surprise me if this does not work.

I do take it you have DNS properly working on your Edge?

You can always state this question on the Sofaware site.

[Thorpuse]

The Edges do not support domain objects. They also don't support authentication or any rules that invoke Security Servers, as well as a bunch of other things. Keep your Edge rulebase simple, don't assume that because it's an NG product that everything that works in the Enterprise product will work.

[Carsten]

Hi all, ok, thanks for the information. So we have to find another solution, but this is no big problem.
But what I still do not like is that I got no information from SmartCenter, so it cost me some time to find out why the Edge blocks absolutely everything and stopped logging. It would be nice if Checkpoint could implement some check before deploying such a rule on an Edge, it can't be that difficult.

Thnaks guys

Carsten

[dantro]

It's all in the SofaWare documentation.
As I said at the CPUG CON 2008 Europe, centralized UTM-1 Edge management is a feature, not a function. Don't claim Check Point. It's the libsw files that don't check for these things as the Edges simpy don't have this function. And the libsw files are written by SofaWare.