Welcome to Abdul's Support Page

Checkpoint Domain Object Issues

Domain Object issues

When a domain object is used in the rule base as a source or destination, FW-1 will attempt to do a reverse DNS lookup (that is, getting the name for a specified IP) on the appropriate portion of the incoming packet. If the lookup yields the domain information, then you have a match. It is probably obvious that if there is no reverse record, the object will be useless. It is also possible that, through DNS poisoning, this sort of object could lead to a security breach. For these reasons and others, Check Point does not recommend the use of domain objects in your rule base. If you decide to use them, use them as close to the bottom of the rule base as possible.