Checkpoint Domain Object - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, November 21, 2011

Checkpoint Domain Object

Was thinking to use Domain Object as a source in our firewall rule. After consulted with checkpoint support, it seems impossible if your domain object represented multiple ip addresses.

SK42128

Symptoms

    Rules containing a Domain object will only resolve to one of the associated IP addresses, causing request for a site not to return a web page. 

Cause

A Domain object resolves a domain name by the first IP Address that appears when running the nslookup command.

Solution

Use domain objects for domains that, when the nslookup command is used, resolve only to one IP address.
It can not be used with domain names that are resolved to multiple IP addresses.

-----------------------------

Also SK41632 explained a little bit how Domain object works includes following best practice rules:

"Rules of thumb: 

  • Avoid using domain objects, if you can.

  • Place them as deep in the rulebase, as you can, to maximize the chance that a given packet will hit a rule that uses a network object, before falling to the domain object.

  • Construct rules above the domain object, in such a way, as to catch as much traffic, as you can, before falling through to the domain object."

The most important one is put domain object as deep as you can to reduce latency caused by reverse name resolution.


15 comments:

  1. Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest
    twitter updates. I've been looking for a plug-in like this
    for quite some time and was hoping maybe you would have some experience with something like this.

    Please let me know if you run into anything.
    I truly enjoy reading your blog and I look forward
    to your new updates.

    Feel free to visit my homepage ... massage supplies

    ReplyDelete
  2. Howdy would you mind letting me know which web host you're using?
    I've loaded your blog in 3 completely different web
    browsers and I must say this blog loads a lot quicker then most.

    Can you recommend a good internet hosting provider at a reasonable
    price? Thanks a lot, I appreciate it!

    Here is my homepage: massage asmr

    ReplyDelete
  3. As the admin of this website is working, no question very soon it
    will be famous, due to its quality contents.

    My page :: bath and body works

    ReplyDelete
  4. Every weekend i used to pay a visit this web site, as i want
    enjoyment, as this this website conations really nice funny information too.


    Here is my web site: relaxing massage for cats; ,

    ReplyDelete
  5. This is a topic that's near to my heart... Cheers!
    Exactly where are your contact details though?

    Feel free to visit my web site; laser hair removal experience

    ReplyDelete
  6. Its such as you read my mind! You seem to know a lot about this, like you
    wrote the book in it or something. I think that you could do with a few p.c.

    to power the message home a little bit, but instead of that, this is excellent blog.
    An excellent read. I will definitely be back.


    Feel free to visit my web page - massage vienna va (weier192.tumblr.com)

    ReplyDelete
  7. What's up to every body, it's my first pay a quick visit of this blog; this web site includes awesome
    and really fine stuff in favor of readers.

    Look at my web blog - Relaxing Massage Joondalup

    ReplyDelete
  8. I was suggested this web site by my cousin.
    I'm not sure whether this post is written by him as no one
    else know such detailed about my trouble. You are amazing!

    Thanks!

    My website; relaxing massage melbourne

    ReplyDelete
  9. I was suggested this blog by my cousin. I'm not sure whether this post is written by him as nobody else know
    such detailed about my difficulty. You are incredible!
    Thanks!

    Feel free to surf to my web-site: business plan template ()

    ReplyDelete
  10. My spouse and I stumbled over here from a different page and thought I may as well check things out.

    I like what I see so now i am following you. Look forward to looking at
    your web page yet again.

    Also visit my web page; tips massage therapists much

    ReplyDelete
  11. Hello i am kavin, its my first time to commenting anyplace, when i read this article
    i thought i could also make comment due to this sensible post.


    My web site; massage kalamazoo

    ReplyDelete
  12. Thanks for the auspicious writeup. It if truth be
    told was once a enjoyment account it. Look complex to
    far added agreeable from you! By the way, how could we communicate?


    My page beauty tips quran ()

    ReplyDelete
  13. Hi there fantastic website! Does running a blog such as this take
    a massive amount work? I have absolutely no expertise in programming
    but I had been hoping to start my own blog in the near future.
    Anyway, if you have any recommendations or techniques for
    new blog owners please share. I know this
    is off topic however I simply wanted to ask. Many thanks!


    My homepage: beauty without bunnies (http://twominutestwobook.over-blog.com/)

    ReplyDelete
  14. I think the admin of this website is really working hard in support of his site, for the reason that here every information
    is quality based information.

    Here is my web site Mireya

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete