2 Replies Latest reply: Dec 3, 2012 9:45 AM by mtuma RSS

    Domain Name in NetObject

    Arshad

      I am using Sidewinder 8.2.1 and have made NetObjects of IP Addresses for Internet access to my users. But I want that I add Domain name instead of individual IPs. So that if IPs changes dynamically then I should not enter manually . I have tried to create a Domain name inside NetObject "gmail.com" and created a rule with source IP of mine and destination is the domain name but the rule never matches and it says Access Denied . Kindly help

        • 1. Re: Domain Name in NetObject
          PhilM

          That would suggest that the DNS on the Firewall is not configured properly, or is not functioning properly. Either that or the host in question you are trying to access isn't actually using a gmail.com domain name.

           

          Domain and Host objects certainly do work, but ever since I was trained to use v5 of this product back in 2000/2001, my trainer always advised against using domain or host objects for this very reason. You are then entirely at the mercy of DNS, and if DNS isn't configured correctly then the elements relying on it will simply not work.

           

          To be fair, I have been on courses from Firewalls from at least 3 other vendors, and their advice is generally the same - unless you are completely confident with your DNS environment try to avoid using hostname or domain name network objects.

           

          Look at the audit when these connections are being blocked and perform DNS checks using the Firewall command line against the reported IP address to see which hostname it resolves back to. This will help you to understand what is happening and if the IP address(es) in question do resolve to gmail.com hostnames then I'd recommed raising a ticket with support so they can try and work out why the rule is not being triggered correctly.

           

          -Phil.

          • 2. Re: Domain Name in NetObject
            mtuma

            Hello,

             

            It is not clear whether you are using domain or host objects, but below is a good document that explains both:

             

            Firewall Enterprise: How Host and Domain network objects work (KB61366)

             

            If you are using domain objects, keep in mind that the firewall is relying on reverse DNS and reverse DNS is notoriously unreliable. Host objects are a little bit better as they rely on forward DNS. It still is recommended to avoid using DNS objects as you are allowing DNS to determine your Firewall Policy, but there are some situations where they are necessary.

             

            -Matt