topic Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup in Firewall and Security Management

FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup Rul

Vikaspathak022 — Wed, 23 Nov 2022 12:00:11 GMT

Hi Team,

We are using Gateway on the AWS, Version is R80.40 and we are facing a Strange issue that, the rules which are created on the Basis of FQDN's are not getting Matched on the firewall, traffic is getting drop by Clean up rule. We did following.

1. Failover.

2. Reboot both the firewalls.

3. DNS Cache increment of the Firewall.

Need expert Guidance on this to proceed further.

To mitigate this Situation we are creating IP Based rule and it works fine.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

_Val_ — Wed, 23 Nov 2022 13:43:10 GMT

Before anything else, check if your FW can resolve those FQDN objects into IPs by names

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

the_rock — Wed, 23 Nov 2022 13:47:02 GMT

@_Val_ brings up very logical point indeed, If what he says fails, then it would make sense why you have this issue.

Can you run below and see what you get? Below is an example from my lab. This is brand new R81.20 lab, but output would look pretty much the same on any version.

[Expert@quantum_gateway:0]# curl_cli -k google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
[Expert@quantum_gateway:0]#

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

Vikaspathak022 — Wed, 23 Nov 2022 14:14:11 GMT

Well Yes its happening from the firewall, Firewall can resolve the domain names, infect, its working in the rules also, but some times we can see drops on the firewall on the cleanup rule and sometimes we can its getting allowed on the rule created for the traffic.

curl_cli -k google.com: What is impact of this, our environment is bit critical and unstable to do such tests, normal nslookup i did and it worked.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

_Val_ — Wed, 23 Nov 2022 15:04:34 GMT

It sounds like you have some performance issues, is this correct? What is the average CPU utilization on the GW?

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

Bob_Zimmerman — Wed, 23 Nov 2022 15:19:12 GMT

Are clients using the same DNS resolution path as the firewalls? My bet is they're not, and the clients are getting different IPs back from DNS.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

Vikaspathak022 — Wed, 23 Nov 2022 15:50:17 GMT

Avg Utilization of the Firewalls are ~ 30 to 35% and clients are also have the same DNS and they are working fine. This issue with the Firewalls also is intermittent.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

Vikaspathak022 — Wed, 23 Nov 2022 16:28:52 GMT

CPU is between 30 to 35%, Hosts are also having the Same DNS configured but they are not facing any issue.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

PhoneBoy — Wed, 23 Nov 2022 18:57:07 GMT

I'd try applying the current recommended JHF for R80.40.
If you're still having issues, a TAC case is probably warranted.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

Mike_Jensen — Thu, 24 Nov 2022 01:20:37 GMT

Are the hosts behind the gateways using the same DNS server(s) as the gateways?

I had a scenario once where the DNS servers were not the same and with load balanced public servers different DNS servers would return different results for the same FQDN.

once I configured my gateways to use the same DNS servers as the hosts behind them the FQDN’s resolved to the same IP and the intended rule was matched every time.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

Vikaspathak022 — Thu, 24 Nov 2022 08:27:00 GMT

@Mike_Jensen Well, How this can be possible in the Global Infra, as these gateways are in the AWS DC, and users globally are coming to the Central DC, we can not have a central DNS for all the global Users, and the user who are having the Similar DNS as gateway also face this issue.

@PhoneBoy can you please share any link or SK for the JHF.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

PhoneBoy — Thu, 24 Nov 2022 15:31:07 GMT

https://sc1.checkpoint.com/documents/Jumbo_HFA/R80.40/R80.40/R80.40_Downloads.htm

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

Vikaspathak022 — Tue, 29 Nov 2022 08:56:27 GMT

Thanks @PhoneBoy for the suggestion, we have performed the same thing on our firewalls, moved firewall from Take 119 JHF to 180 JHF, but problem still persists, looking for more guidance.

Re: FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup

PhoneBoy — Tue, 29 Nov 2022 14:22:50 GMT

Recommend engaging with the TAC to troubleshoot.