CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We've already had our first sign-ups!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 6/9, 7/14, 8/25, 10/6, 11/3, 12/8.
3. We have new forums in Portuguese and German (see below).
4. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
5. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Miscellaneous
Reload this Page Can you use Domain instead of IP for dest?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 1 Week Ago
henba henba is offline
Junior Member
  
Join Date: 2008-03-05
Posts: 2
henba has an average reputation (10+)
Default Can you use Domain instead of IP for dest?
Have several NGX(R65). I need to ask if anyone in CPUG can help me. What I need to do is to create a rule to limit several hosts on trust side to HTTPS to a outside domain, for example microsoft.com. Yes, I can do nslookup on Microsoft Corporation and get a range of IP, but the range could change in the future. Microsoft lookup points to akadns.net. Can a rule be created where the destination is not an IP or range of IP but a domain like microsoft.com?

Thanks,
Reply With Quote
  #2 (permalink)  
Old 1 Week Ago
BarryStiefel BarryStiefel is offline
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 505
BarryStiefel has disabled reputation
Default Re: Can you use Domain instead of IP for dest?
Quote:
Originally Posted by henba View Post
Have several NGX(R65). I need to ask if anyone in CPUG can help me. What I need to do is to create a rule to limit several hosts on trust side to HTTPS to a outside domain, for example microsoft.com. Yes, I can do nslookup on Microsoft Corporation and get a range of IP, but the range could change in the future. Microsoft lookup points to akadns.net. Can a rule be created where the destination is not an IP or range of IP but a domain like microsoft.com?

Thanks,
Yes, there's a domain object and you don't want to use it. It will require a reverse DNS lookup on every IP address that gets compared to that rule. It will slow down your firewall tremendously.

Either create a group containing the IP addresses or use a real web filtering product like Surf Control or WebSense.
__________________
Barry J. Stiefel ("Stee-ful")
CCSA/CCSE/CCSE+/CCSI
President, CPUG
Reply With Quote
  #3 (permalink)  
Old 6 Days Ago
henba henba is offline
Junior Member
  
Join Date: 2008-03-05
Posts: 2
henba has an average reputation (10+)
Default Re: Can you use Domain instead of IP for dest?
Thanks for the information.
Reply With Quote
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 01:46.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0