Unfortunately this is not what i was looking for. Maybe i described it wrongly but i am not interested in services/ports/protocols but "destination objects".
For example in your lab let say that router r2 has a dns name r2.test.com and webservice enabled.. i would like to have posibility to create a rule to allow http only to domain *.test.com... so for instance from r3 i should able to http to this r2 even though his ip could change but name would remian same.. so r1 should make a dns query from time to time to keep it in dns cache and dynamicly put in firewall rule
example of domain object in checkpoint security gateway :
Domains
A Domain object lets you define a host or DNS domain by its name only. It is not necessary to have the IP address of the site.
You can use the Domain object in the source and destination columns of an Access Control Policy.
You can configure a Domain object in two ways:
-Select FQDN
In the object name, use the Fully Qualified Domain Name (FQDN). Use the format .x.y.z (with a dot "." before the FQDN). For example, if you use .www.example.com then the Gateway matches www.example.com
This option is supported for R80.10 and higher, and is the default. It is more accurate and faster than the non-FQDN option.
Security Gateway looks up the FQDN with a direct DNS query, and uses the result in the Rule Base
-Clear FQDN
This option enforces the domain and its sub-domains. In the object name, use the format .x.y for the name. For example, use .example.com or .example.co.uk for the name. If you use .example.com, then the Gateway matches www.example.com and support.example.com
The Gateway does the name resolution using DNS reverse lookups, which can be inaccurate. The Gateway uses the result in the Rule Base, and caches the result to use again.
