I know there's still a chance it can change at some point in the future, but Google's response for coding IP's on a firewall is to use the following ranges, so as sites change for maintenance or outages, this should cover all the possibilities for them:
172.31.32.68 72.14.245.21 216.73.92.0/23 216.239.32.0/19 64.233.160.0/19 66.249.80.0/20 72.14.192.0/18 209.85.128.0/17 66.102.0.0/20 74.125.0.0/16 64.18.0.0/20 207.126.144.0/20 173.194.0.0/16 The trade-off is the overhead of looking it up EVERY time it's accessed, and the performance overhead on your firewall, against the chance that they may add or change a CIDR block at some point. They're probably a little more sensitive to the issue of modifying IP ranges now that they're trying to make a name for themselves in the cloud business, as there are a LOT of customers coding ranges like this into their firewalls now for paid services as well as users accessing free ones. You make the call on the trade-offs of one vs. the other for your site, just an option for you to use if you want it. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of C. L. Martinez Sent: Wednesday, December 14, 2011 02:27 To: [email protected] Subject: Re: [FW-1] A question about dynamic objects Thanks, but not: I am not trying to do URL filtering ... I am trying to allow to four servers to access only to smtp.gmail.com to send some emails a day ... Nothing more. And yes, this rules is at the end of the ruleset. On Tue, Dec 13, 2011 at 10:53 PM, Independent IT Consultant < [email protected]> wrote: > What exactly are you trying to do? > > Domain objects work (even with cnames), but are *VERY* resource intensive. > There is *NO* caching done, so *EVERY* new session will require a new > lookup. For services like GMAIL, this may become problematic. > > This is why CP strongly advocates that any rules involving DNS objects > be placed at the end of the ruleset. > > It sounds to me like you're really trying to do a poor-man's URL > filtering. If so, quit the games and use URL filtering - either on > the CP gateway or on an internal server. The updates they made in > R75.20 take it from barely functional to absolutely kick-arse... > > > > On Tue, Dec 13, 2011 at 4:37 PM, C. L. Martinez <[email protected] > >wrote: > > > Uhmm ... It doesn't works, because smtp.gmail.com is resolved as a > > wi-in-f108.1e100.net .... Then, do I need to create another domain > object > > with 1e100.net domain?? If it yes, I prefer to use IP's, although > > some alerts are triggered ... > > > > > > > > On Tue, Dec 13, 2011 at 9:16 PM, Alexey Baltacov > > <[email protected] > > >wrote: > > > > > Hi. > > > > > > The domain objects are used to resolve hostnames in rules. > > > > > > It's also not recommended to use such objects in beginning of > > > rulebase because it can hardly affect the perfomance. > > > > > > In order to use it you should configure DNS servers on OS level. > > > Please > > use > > > nearest DNS's as possible (located in LAN) > > > > > > Alexey > > > > > > On Dec 13, 2011 9:52 PM, "carlopmart" <[email protected]> wrote: > > > > > > > On Tue, 13 Dec 2011, Alexey Baltacov wrote: > > > > > > > > You should use domain object instead. > > > >> Dynamic objects used for edges dynamic policy > > > >> > > > >> > > > > Thanks Alexei, but can I use domain objects to resolve hostnames > > > > unde rules?? > > > > > > > > Thanks. > > > > > > > > --- > > > > CL Martinez > > > > carlopmart {at} gmail {d0t} com > > > > > > > > ==============================**=================== > > > > To set vacation, Out-Of-Office, or away messages, send an email > > > > to [email protected].**checkpoint.com< > > > [email protected]> > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ==============================**=================== > > > > To unsubscribe from this mailing list, please see the > > > > instructions at > > > > http://www.checkpoint.com/**services/mailing.html< > > > http://www.checkpoint.com/services/mailing.html> > > > > ==============================**=================== > > > > If you have any questions on how to change your subscription > > > > options, email [email protected] > > > > ==============================**=================== > > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [email protected] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [email protected] > > > ================================================= > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= *************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. **************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
