How to Create Domain Objects in Check Point Firewall

Last updated: 30-01-2026

Introduction

In modern networks, many applications and services use dynamic IP addresses that frequently change. To handle this challenge, Check Point Firewall provides Domain Objects, which allow administrators to define firewall rules based on domain names instead of fixed IP addresses.

This article explains what Domain Objects are, how they work, how to create them in SmartConsole, and best practices for using them effectively in a production environment.

What is a Domain Object in Check Point?

A Domain Object in Check Point represents a DNS domain name (for example, example.com) that can be used as a source or destination in security policy rules.

Instead of matching traffic based on static IP addresses, the Security Gateway resolves the domain name using DNS and enforces the policy based on the resolved IP addresses.

Domain Objects are particularly useful for:

  • Cloud-based services
  • Web applications with changing IPs
  • Third-party SaaS platforms

Types of Domain Objects in Check Point

Check Point supports two types of Domain Objects based on how DNS resolution is performed:

1. FQDN Domain Objects (Recommended)

FQDN (Fully Qualified Domain Name) objects use forward DNS lookup. The firewall periodically resolves the domain name to IP addresses and caches the results.

  • Uses forward DNS resolution
  • Better performance
  • Supports SecureXL acceleration
  • Recommended by Check Point

2. Non-FQDN Domain Objects (Legacy)

Non-FQDN objects use reverse DNS lookup for traffic matching. The gateway performs DNS lookups for every packet, which can impact performance.

  • Uses reverse DNS resolution
  • Higher CPU usage
  • Not recommended for large environments

How Domain Objects Work

When a Domain Object is used in a firewall rule, the Security Gateway resolves the domain name using the configured DNS servers.

For FQDN objects, the resolved IP addresses are cached for a specific time (TTL), and traffic is matched against these IPs during policy enforcement.

If DNS resolution fails or returns no IPs, traffic matching the domain object will not be allowed.

Steps to Create a Domain Object in SmartConsole

  1. Open SmartConsole
  2. Go to ObjectsNewMoreDomain
  3. Enter the domain name (example: .example.com)
  4. Enable the FQDN option (recommended)
  5. Add comments for documentation
  6. Click OK to save the object
  7. Use the Domain Object in the Source or Destination field of your policy

Best Practices for Using Domain Objects

  • Always use FQDN Domain Objects when possible
  • Ensure reliable DNS servers are configured on the gateway
  • Avoid excessive use of Non-FQDN objects
  • Document domain objects with clear comments
  • Monitor DNS resolution and gateway performance

Limitations of Domain Objects

While Domain Objects are powerful, they have some limitations:

  • No traditional wildcard support (*)
  • Dependent on DNS availability
  • May not work reliably with CDN-based services
  • Non-FQDN objects can impact performance

Conclusion

Domain Objects in Check Point Firewall provide a flexible way to control traffic based on domain names instead of static IP addresses. When implemented correctly using FQDN mode, they offer better scalability, improved security, and easier policy management.

By following best practices and understanding their limitations, Domain Objects can be a valuable tool in any modern Check Point deployment.