What is a Domain object?
A Domain Object allows you to specify a domain name for matching in the rule base. It can be used in Source and Destination columns of Access Policy.
How to Create Domain Object in R80.x?
- Right-click on Network Objects on the right hand side object panel
- Navigate to more -> Domain
- Now you have 2 different modes to create Domain Objetcs: FQDN mode and Non-FQDN mode.
When FQDN mode is selected, only traffic to the exact domain will be matched on the rule using the FQDN domain object.
To be able to use FQDN objects in our policy, the URL on the object must start with a '.' [dot].
Example: .checkpoint.com as FQDN.
Note: there is no need to use '*' when configuring the object
This rule will enforce both and only URLs: www.checkpoint.com and checkpoint.com.
Only traffic to checkpoint.com and www.checkpoint.com will be matched on that object. Traffic to support.checkpoint.com won't be matched. This option is supported starting from R80.10 and is the default and recommended option.
To match a rule with FQDN domain object, the Security Gateway does name resolution using direct DNS query. The resolved IP addresses are cached, and traffic to those IP addresses are matched on the rule using that FQDN object. The timeout of the FQDN cache respects the TTL of the DNS. The default TTL of the domain cache is 1 hour.
No DNS reverse lookup is performed.
Changes in Gaia DNS servers are only activated after running cpstop/cpstart or reboot. If not done the DNS servers configured at startup will remain to be used.
When FQDN mode is unchecked, traffic to the domain and its sub-domains (up to 10 levels) will be matched on the rule using the non-FQDN Domain object.
Note: Keep non-FQDN domain objects as low in the rulebase, as possible.
In the rule below, .example.com is configured as a non-FQDN object:
To potentially match this rule, the destination IP address of the connection must be resolved via reverse DNS.
Let's assume you accessed ftp.example.com, your client resolves this IP address to 192.0.2.21 and this is the first applicable rule to the connection.
The Security gateway looks up 220.127.116.11.in-addr.arpa via DNS.
If this lookup returns example.com (or a subdomain) as a result, that IP address is matched as part of .example.com.
If the lookup returns NXDOMAIN or anything else, the IP address is not matched as part of .example.com.
When upgrading domain objects from pre-R80.10, this option is enforced.
To match a rule with non-FQDN domain object, the Security gateway uses DNS reverse lookup (if the IP address is not already in cache).
Note: Some DNS servers do not support DNS reverse lookups or might not be fully updated with all reverse entries.
Domain objects Acceleration
Starting from R80.10, Domain objects do not disable SecureXL Accept templates anymore and support Templates Acceleration. Hence, Domain objects can be used in upper rules in the security policy with no performance impact.
For more information, see sk32578.