Allowing access to fqdn

[suppo]

Hello group.

I've a subnet which i want to restrict access to a number of specific sites (windows, virus updates) and block everything else.

After doing some reading the best way i've discovered is via a URI file but the problem with this is that it isn't dynamic enough, i.e windows updates can use a whole host of different servers and the file seems to be only interested in IPs which of course can change.

I was hoping somebody can point in the direction of a more dynamic solution, one which may involve *.microsoft.com.

Thanks

[sail4fun]

I guess that "Network objects", Domain will do...

[BarryStiefel]

It's generally recommended that you don't use domain objects. They require lots of reverse DNS lookups and can really slow down your firewall.

[justin.knox]

I used a URI file for a very short time for blocking some sites that management had deemed a breach of the AUP here. Two things became readily apparent:
1) The URI file solution is very inflexible, both from a scalability and management standpoint
2) Using domains, while they should be quite permissible, does present a performance bottleneck. This came to the point where I was getting false positives, and normal browsing became a chore.

My experience is rather limited with Check Point, but I've been considering using Websense or similar here. Whether or not management agrees is another story entirely. As a work around we've got logging enabled for http and https and a cross-reference file which gives us username vs hostname on the inside. That way with Tracker we can filter by a period of time (say a week) and find anything people should or shouldn't be doing.

HTH

[stuartgreen]

i'll agree - the url filtering part of checkpoint is pretty limited. In all fairness though - its a firewall, not a content filtering application. If you want complex content filtering, buy something dedicated!

[BarryStiefel]

Quote:

Originally Posted by justin.knox

I used a URI file for a very short time for blocking some sites that management had deemed a breach of the AUP here. Two things became readily apparent:
1) The URI file solution is very inflexible, both from a scalability and management standpoint
2) Using domains, while they should be quite permissible, does present a performance bottleneck. This came to the point where I was getting false positives, and normal browsing became a chore.

My experience is rather limited with Check Point, but I've been considering using Websense or similar here. Whether or not management agrees is another story entirely. As a work around we've got logging enabled for http and https and a cross-reference file which gives us username vs hostname on the inside. That way with Tracker we can filter by a period of time (say a week) and find anything people should or shouldn't be doing.

HTH

The URL filtering capabilities in VPN-1 are quite rudimentary and haven't been enhanced in many years. Far better to go with SurfControl or WebSense. Those are "real" solutions.

[suppo]

OK thanks for the replies, we're currently looking into websense at the moment.