Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
620 Views 2 Replies Latest reply: Dec 3, 2012 9:45 AM by mtuma RSS
Arshad Apprentice 64 posts since
Nov 19, 2009
Currently Being Moderated

Nov 30, 2012 12:50 AM

Domain Name in NetObject

I am using Sidewinder 8.2.1 and have made NetObjects of IP Addresses for Internet access to my users. But I want that I add Domain name instead of individual IPs. So that if IPs changes dynamically then I should not enter manually . I have tried to create a Domain name inside NetObject "gmail.com" and created a rule with source IP of mine and destination is the domain name but the rule never matches and it says Access Denied . Kindly help

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    1. Nov 30, 2012 2:43 AM (in response to Arshad)
    Re: Domain Name in NetObject

    That would suggest that the DNS on the Firewall is not configured properly, or is not functioning properly. Either that or the host in question you are trying to access isn't actually using a gmail.com domain name.

     

    Domain and Host objects certainly do work, but ever since I was trained to use v5 of this product back in 2000/2001, my trainer always advised against using domain or host objects for this very reason. You are then entirely at the mercy of DNS, and if DNS isn't configured correctly then the elements relying on it will simply not work.

     

    To be fair, I have been on courses from Firewalls from at least 3 other vendors, and their advice is generally the same - unless you are completely confident with your DNS environment try to avoid using hostname or domain name network objects.

     

    Look at the audit when these connections are being blocked and perform DNS checks using the Firewall command line against the reported IP address to see which hostname it resolves back to. This will help you to understand what is happening and if the IP address(es) in question do resolve to gmail.com hostnames then I'd recommed raising a ticket with support so they can try and work out why the rule is not being triggered correctly.

     

    -Phil.

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Dec 3, 2012 9:45 AM (in response to PhilM)
    Re: Domain Name in NetObject

    Hello,

     

    It is not clear whether you are using domain or host objects, but below is a good document that explains both:

     

    Firewall Enterprise: How Host and Domain network objects work (KB61366)

     

    If you are using domain objects, keep in mind that the firewall is relying on reverse DNS and reverse DNS is notoriously unreliable. Host objects are a little bit better as they rely on forward DNS. It still is recommended to avoid using DNS objects as you are allowing DNS to determine your Firewall Policy, but there are some situations where they are necessary.

     

    -Matt

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points