Support Center > Search Results > SecureKnowledge Details
Domain Objects in R8x Technical Level

What is a Domain object?

A Domain Object allows you to specify a domain name for matching in the rule base. It can be used in Source and Destination columns of Access Policy.


How to Create Domain Object in R8x?

  1. Right-click on Network Objects on the right hand side object panel

  2. Navigate to more -> Domain

  3. Now you have 2 different modes to create Domain Objetcs: FQDN mode and Non-FQDN mode. 

FQDN mode

When FQDN mode is selected, only traffic to the exact domain will be matched on the rule using the FQDN domain object.

To be able to use FQDN objects in our policy, the URL on the object must start with a '.' [dot].

Example: as FQDN.

Note: there is no need to use '*' when configuring the object

This rule will enforce both and only URLs: and 

Only traffic to and will be matched on that object. Traffic to will not be matched. This option is supported starting from R80.10 and is the default and recommended option.

To match a rule with FQDN domain object, the Security Gateway does name resolution using direct DNS query. The resolved IP addresses are cached, and traffic to those IP addresses are matched on the rule using that FQDN object. The timeout of the FQDN cache respects the TTL of the DNS. The default TTL of the domain cache is 1 hour.

No DNS reverse lookup is performed.

Changes in Gaia DNS servers are only activated after running cpstop/cpstart or reboot. If not done the DNS servers configured at startup will remain to be used.


Non-FQDN mode

When FQDN mode is unchecked, traffic to the domain and its sub-domains (up to 10 levels) will be matched on the rule using the non-FQDN Domain object.

Note: Keep non-FQDN domain objects as low in the rulebase, as possible.

In the rule below, is configured as a non-FQDN object:

To potentially match this rule, the destination IP address of the connection must be resolved via reverse DNS.
Let's assume you accessed, your client resolves this IP address to and this is the first applicable rule to the connection.
The Security gateway looks up via DNS.
If this lookup returns (or a subdomain) as a result, that IP address is matched as part of
If the lookup returns NXDOMAIN or anything else, the IP address is not matched as part of

When upgrading domain objects from pre-R80.10, this option is enforced.

To match a rule with non-FQDN domain object, the Security gateway uses DNS reverse lookup (if the IP address is not already in cache).

Note: Some DNS servers do not support DNS reverse lookups or might not be fully updated with all reverse entries.

Domain objects Acceleration

Starting from R80.10, Domain objects do not disable SecureXL Accept templates anymore and support Templates Acceleration. Hence, Domain objects can be used in upper rules in the security policy with no performance impact.

For more information, see sk32578.


Related Solutions:


Known limitation:

Give us Feedback
Please rate this document