topic Re: rdp slow access between vlans in Firewall and Security Management

rdp slow access between vlans

lior_me1 — Wed, 06 Mar 2019 14:55:28 GMT

problem with rdp access

hangs on this window for a minute or two and then connects

any ideas what to look for?

happens from every computer on a given vlan to another vlan on the checkpoint gaia appliance

Re: rdp slow access between vlans

PhoneBoy — Sat, 09 Mar 2019 17:43:47 GMT

What do you see on a tcpdump between the relevant hosts?

Anything in the logs that might suggest what's going on?

This sounds like a DNS issue of some sort that is unrelated to the firewall.

Re: rdp slow access between vlans

HeikoAnkenbrand — Sun, 10 Mar 2019 09:36:07 GMT

This Sounds like a

DNS issue or

RDP encryption issue or

RDP authentication (ntlm vs. kerberos) issue.

Anything in in the Windows event logs?

Re: rdp slow access between vlans

HeikoAnkenbrand — Sun, 10 Mar 2019 09:39:07 GMT

Or old RDP client and new Windows 2012/2016/2019 Server.

Re: rdp slow access between vlans

HeikoAnkenbrand — Sun, 10 Mar 2019 09:41:49 GMT

Microsoft Troubleshooting RDP Client connection problems:

https://support.microsoft.com/en-us/help/186645/troubleshooting-rdp-client-connection-problems

Re: rdp slow access between vlans

lior_me1 — Sun, 10 Mar 2019 10:57:30 GMT

i've narrowed down the issue :

when you try to connect using mstsc, the application tries to contact microsoft's servers. the hang is caused by the firewall trying to process it (i think)

Re: rdp slow access between vlans

PhoneBoy — Sun, 10 Mar 2019 11:34:26 GMT

It looks like it is hitting a UserCheck rule of some sort (e.g. the redirect log entries).

You might want to explicitly allow that traffic or create a REJECT (as opposed to drop) rule for it.

Re: rdp slow access between vlans

lior_me1 — Sun, 10 Mar 2019 11:44:59 GMT

thank you

1. the problem is that this ip is a part of a very large pool. cp recognizes it as windows update in the application layer.

2. why reject vs drop? what's the advantage ?

Re: rdp slow access between vlans

PhoneBoy — Sun, 10 Mar 2019 15:44:51 GMT

With a drop, the application will receive no response and may wait for the attempted TCP connection to timeout.

With a reject, the firewall sends a TCP Reset, which will hopefully cause the application to quit trying to reconnect.

Re: rdp slow access between vlans

lior_me1 — Sun, 10 Mar 2019 15:48:12 GMT

so, in general (very interesting information), in what cases should i use drop and what cases should i use reject?

Re: rdp slow access between vlans

PhoneBoy — Sun, 10 Mar 2019 16:48:58 GMT

In the vast majority of cases, I would use Drop.

Reject is useful in situations similar to what you describe.

Re: rdp slow access between vlans

lior_me1 — Mon, 11 Mar 2019 11:39:50 GMT

thank you

for the moment, i've created a policy letting me access windows update at the application level, and it looks fine. i'll keep track of it

Re: rdp slow access between vlans

lior_me1 — Sun, 17 Mar 2019 14:38:52 GMT

the problem seems to be persistent. every few days, some new address pops up

i've came across addresses like : map2.hwcdn.net, and like 3.a.download.windowsupdate.com and so on and so forth

how can i make the proper exclution for all those url's in a wildcard form? i don't mind handling each domain, but dealing with each ip is crazy

thank you