What is a Domain object?
A Domain Object allows you to specify a domain name for matching in the rule base. You can use it in the Source and Destination columns of the Access Control Policy.
How to Create a Domain Object in R8x?
- In SmartConsole > Objects Explorer (the right-hand side panel) > right-click Network Objects.
- Navigate to more > Domain.
- Now you have 2 different modes to create Domain Objects: FQDN mode and Non-FQDN mode.
When the FQDN mode is selected, only traffic to the exact domain is matched on the rule using the FQDN domain object.
To be able to use FQDN objects in our policy, the URL on the object must start with a '.' [dot].
Example: .checkpoint.com as FQDN.
Note: there is no need to use '*' when you configure the object
This rule enforces both and only URLs: www.checkpoint.com and checkpoint.com.
Only traffic to checkpoint.com and www.checkpoint.com is matched on that object. Traffic to support.checkpoint.com is not matched. This option is supported starting from R80.10 and is the default and recommended option.
To match a rule with a FQDN domain object, the Security Gateway does name resolution using direct DNS query. The resolved IP addresses are cached, and traffic to those IP addresses are matched on the rule using that FQDN object. The timeout of the FQDN cache respects the TTL of the DNS. The default TTL of the domain cache is 1 hour.
No DNS reverse lookup is performed.
Changes in Gaia DNS servers are implemented only after you run
cpstop/cpstart or reboot the appliance. If not, the DNS servers that were configured at startup will continue to be used.
When FQDN mode is unchecked, traffic to the domain and its sub-domains (up to 10 levels) is matched on the rule using the non-FQDN Domain object.
Note: Keep non-FQDN domain objects as low in the rulebase, as possible.
In the rule below, .example.com is configured as a non-FQDN object:
To potentially match this rule, the destination IP address of the connection must be resolved through reverse DNS.
Let's assume you accessed ftp.example.com, your client resolves this IP address to 192.0.2.21 and this is the first applicable rule to the connection.
The Security Gateway looks up 126.96.36.199.in-addr.arpa via DNS.
If this lookup returns example.com (or a subdomain) as a result, that IP address is matched as part of .example.com.
If the lookup returns NXDOMAIN or anything else, the IP address is not matched as part of .example.com.
When upgrading domain objects from pre-R80.10, this option is enforced.
To match a rule with non-FQDN domain object, the Security gateway uses DNS reverse lookup (if the IP address is not already in cache).
Note: Some DNS servers do not support DNS reverse lookups or might not be fully updated with all reverse entries.
Domain objects Acceleration
Starting from R80.10, Domain objects do not disable SecureXL Accept templates anymore and support Templates Acceleration. Hence, Domain objects can be used in upper rules in the security policy with no performance impact.
For more information, see sk32578.