{"id":407,"date":"2010-04-01T15:43:25","date_gmt":"2010-04-01T15:43:25","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2010\/04\/01\/allowing-domain-dns-based-objects-through-a-checkpoint-firewall\/"},"modified":"2023-02-04T01:47:27","modified_gmt":"2023-02-04T01:47:27","slug":"allowing-domain-dns-based-objects-through-a-checkpoint-firewall","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Check-Point\/allowing-domain-dns-based-objects-through-a-checkpoint-firewall.html","title":{"rendered":"Allow Domain\/DNS-based objects through Check Point Firewall"},"content":{"rendered":"

In order to to allow domain based objects through a Check Point firewall we need to understand how the domain objects actually work.
\nWhen a packet hits a rule with a domain based object the Check Point does a reverse DNS looking up on the IP address against the domain object to see if they match, and if not the packet is dropped. Not only can this cause a number of issues but it can cause massive performance implications (further details see sk41632).<\/p>\n

Below takes a closer look at this process.<\/p>\n

When a packet hits a rule containing a domain based object the firewall queries the PTR record against the packets IP to see if it matches the domain name provided in the domain object.<\/p>\n

Below you can see the DNS process of a domain object using ftp.symantec.com.<\/p>\n

Note : Firewall IP = 22.19.1.1 | DNS Server = 2.2.2.2.<\/em><\/p>\n

22.19.1.1.32874 > 2.2.2.2.domain: 40818+ PTR? 171.22.67.77.in-addr.arpa.\r\n2.2.2.2.domain > 22.19.1.1.32874: 40818 NXDomain q: PTR? 171.22.67.77.in-addr.arpa. 0\/1\/0 ns: 7\r\n7.in-addr.arpa<\/pre>\n
Now this can cause problems if the PTR record doesn’t match the domain name of the A Record as the Check Point Firewall will drop the traffic believing that the destination you are trying to reach isnt that of the Domain object.<\/p>\n
Note<\/strong> : You can also spot the PTR record being displayed rather then the domain name of the object as the destination name within the logs when troubleshooting these kind of issues. This is a quick and easy step to confirm that the PTR record doesn’t match your domain name.<\/p>\n
Another way to to check your PTR record is via the following steps :<\/p>\n
[Expert@fw]# dig a ftp.symantec.com +short\r\nftp25280.symantec.edgesuite.net.\r\n25280.ftp.download2.akadns.net.\r\n25280.ftp.download.akadns.net.\r\n171.22.67.77\r\n213.248.114.171<\/pre>\n
[Expert@fw]#<\/a> dig -x 213.248.114.171 +short
\n213-248-114-171.customer.teliacarrier.com.<\/p>\n
A number of companies will have PTR records that do not match their domain name (A record), which when trying to allow access through a Check Point can cause issues as the Firewall will just drop the traffic.<\/p>\n
Solution<\/strong><\/span><\/p>\n
The best solution to resolve this issue is to have your traffic pass via an internal proxy. Proxies are designed and better suited for allowing and denying such traffic compared to a Check Point Firewall. Also there are massive performance issues with using Check Points domain objects and URI resources.
\nIf you are unable to use an internal proxy then there are 2 alternatives. These are based on using the built in security servers within the Check Point Firewall as shown below.<\/p>\n
FTP<\/strong><\/p>\n
Within Check Point you can configure a FTP resource. This allows you to configure a path which can then be denied or allowed within a rule. The problem with this is that you cannot specify the host but only the path.<\/p>\n
Below shows you the steps :<\/p>\n
1. Create a new FTP resource<\/p>\n
 <\/p>\n
2. Assign the FTP Resource a name<\/p>\n
\"FTP<\/p>\n
3. Assign a path and the action method(s).<\/p>\n
\"FTP<\/p>\n
4. Right click on a new rule and select Service with Resource.<\/p>\n
\"FTP<\/p>\n
5. Then add the rest of the actions to the rule such as source and destination etc.<\/p>\n
\"FTP<\/p>\n
 <\/p>\n
HTTP<\/strong><\/p>\n
The HTTP security server gives you much more options. Below shows you the steps :<\/p>\n
1. Create a new HTTP resource<\/p>\n
\"HTTP<\/p>\n
2. Add a name and the connection method(s). These are based on the following :<\/p>\n