Was thinking to use Domain Object as a source in our firewall rule. After consulted with checkpoint support, it seems impossible if your domain object represented multiple ip addresses.
Rules containing a Domain object will only resolve to one of the associated IP addresses, causing request for a site not to return a web page.
A Domain object resolves a domain name by the first IP Address that appears when running the nslookup command.
Use domain objects for domains that, when the nslookup command is used, resolve only to one IP address.
It can not be used with domain names that are resolved to multiple IP addresses.
Also SK41632 explained a little bit how Domain object works includes following best practice rules:
“Rules of thumb:
- Avoid using domain objects, if you can.
- Place them as deep in the rulebase, as you can, to maximize the chance that a given packet will hit a rule that uses a network object, before falling to the domain object.
- Construct rules above the domain object, in such a way, as to catch as much traffic, as you can, before falling through to the domain object.”
The most important one is put domain object as deep as you can to reduce latency caused by reverse name resolution.