Writing Firewall Rules by Domain Name.

**PTVenom** · 2014-02-26

All,
I have been tasked to find out the best way (if possible) to write rules based on domain (ex. *.intuit.com) without taking a major performance hit on the Gateways. Can someone point me in the right direction on how to accomplish this? We do not want to purchase another license if we dont have to, but that option is not totally ruled out. Our scenario is the following:
We have a good amount of clients that do businees with a vendor that has multiple IP's associated to their Domain Name. We currently have to put all of the available IP's of that vendor in the rule, and if the vendor changes IP, or adds a IP, and we do not know about it, the users will get a failure when trying to connect or send data to the client. We want to avoid this issue, and write the rules by 'domain'. I know this is possible, I just cant find any documentation on the best way to write them, and set them up.

**PhoneBoy** · 2014-02-26

Domain objects are one way to do it, but these are not known for performance.

Another option is to use Dynamic Objects, periodically updating the actual IP definitions with a script, such as: https://bitbucket.org/chkp/dynobj/src
Dynamic Objects perform better than Domain Objects, but are not SecureXL friendly and it is recommended to put rules that utilize them at the end of your rulebase to optimize performance.

URL Filtering is also an option if the sites in question are accessed over http/https, which will perform much better than the above methods.

**PTVenom** · 2014-02-27

With enabling URL Filtering, does the firewall see any sort of performance hit? We currently run our CP Fireewalls on open servers (HP's), but we are looking at Checkpoint Appliances to support this need.

**jflemingeds** · 2014-02-28

Originally Posted by PhoneBoy

Domain objects are one way to do it, but these are not known for performance.

Another option is to use Dynamic Objects, periodically updating the actual IP definitions with a script, such as: https://bitbucket.org/chkp/dynobj/src
Dynamic Objects perform better than Domain Objects, but are not SecureXL friendly and it is recommended to put rules that utilize them at the end of your rulebase to optimize performance.

URL Filtering is also an option if the sites in question are accessed over http/https, which will perform much better than the above methods.

Did anyone else know you can do that? It looks like you can issue rexec commands to remote gateways via cprid_util

**PhoneBoy** · 2014-03-02

Originally Posted by PTVenom

With enabling URL Filtering, does the firewall see any sort of performance hit? We currently run our CP Fireewalls on open servers (HP's), but we are looking at Checkpoint Appliances to support this need.

The answer depends on what blades you are using.
If just Firewall and VPN, yes there will be an impact and it will be similar to running IPS with the Recommended Profile (see the Check Point Appliance datasheets to get an idea of what the impact might be).
If you're already running IPS Recommended or App Control, the performance impact will be fairly minimal.