CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 3 of 3

Thread: Domain based policy

  1. #1
    Join Date
    Rep Power

    Default Domain based policy

    Hi all,

    i am facing an issue that . how to keep domain in the policies.
    in domain i hava 100 sys register with names,
    i need to keep all tese domain in single or multiple rules, but the issue is
    wen any ip chenges in the dmain.?
    iam using r75.

    how to do ip base to dmain based policies...... plz help me.

    Thanx in advance.

  2. #2
    Join Date
    United States, Southeast
    Rep Power

    Default Re: Domain based policy

    I've never done this, and the idea just occurred to me.

    You could use dynamic objects instead of domain objects.

    To test viability of the solution:

    In you policy, replace one domain object with a dynamic object.
    You will not be able to define the IP address of the dynamic object in the gui. This is done on the gateway via CLI.

    On the firewall, create the object via the CLI tool (R75 CLI reference page 42).

    Create a script on the firewall that will list the dynamic objects, and checks their IPs against DNS.
    If it finds a difference, it then acts to change the value of the object.
    unfortunately, the dynamic_objects tool does not appear to have the ability to clear an object. Your script will have to be intelligent enough to query the current value of the dynamic object and remove the previous value.

    I'd recommend a standard naming convention for your dynamic objects being managed by DNS. Something like dns_hostname.domainname.tld; ie: dns_www.yahoo.com.
    You could use the naming convention to limit the objects that the script would act validate/against.

    Outline of proposed script: (i'm assuming it's easy to get the current values of the objects using the dynamic_objects tool)

    Get list of dynamic objects
    for loop to check format of each object name {
    ..If name starts with "dns_" {
    ....get current value of object
    ....resolve object DNS name to IP
    ....if resolved name is not equal to current value {
    ......add new value to object
    ......remove previous value from object }

    It would be interesting if CheckPoint would add a forward lookup domain object
    The current domain object works using reverse lookups.

    This proposed object would work using forward lookups only and have the following parameters:
    Resolution Interval
    Radial Button [Add new IPs to list; replace old IPs with new]
    Timeout value (how long to keep old IPs for 'Add new IPs to list' option above.) [0 forever through 24 hours]

  3. #3
    Join Date
    Rep Power

    Default Re: Domain based policy

    Domain objects do a DNS lookup to associate an IP address with them. Whilst the response is cached this is not permament and so as the DNS Servers that the Firewall uses to resolve the objects names to IP are updated then so will the domain objects information. I haven't found any information on the Check Point website to determine what the cache timeout is, so possibly one of the Check Point employee's on the forum may be able to provide that.

    Typically however you would normally expect upto 24 hours for a DNS change to propogate

    I would refer you to sk41632 if you are going to use domain objects in your Check Point policy.

    You define the domain object as .mysite.com or .mysite.co.uk depending upon the domain you are using, you don't define for individual hosts within a domain.

Similar Threads

  1. Policy based routing
    By shmilyh in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2010-01-25, 23:03
  2. Policy Based Routing
    By Kubann in forum Dynamic Routing
    Replies: 14
    Last Post: 2010-01-14, 23:27
  3. Policy-based routing
    By Moose in forum Miscellaneous
    Replies: 1
    Last Post: 2009-03-24, 21:45
  4. doubt abt permanent tunnels in domain based vpn
    By sebastan_bach in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2008-07-08, 06:44
  5. strange behaviour with domain based vpns help pls
    By sebastan_bach in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-06-11, 09:17

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts