topic Re: domain objects not always working in Firewall and Security Management

domain objects not always working

Ryan_Ryan — Mon, 25 Sep 2023 00:34:29 GMT

Hi guys,

we have a policy with about 400 FQDN's in it (all FQDN, non are wildcard) R80.40 gateway, R81.10 Manager

Strangely sometimes they do match, using domain tools -d and -ip i can confirm both the source and dest rule are matchings the IP addresses I am seeing in the logs but the traffic is still dropped on the cleanup rule. I would say we have about 90% success rate and 10% failure, rate, often its within the same rule that some traffic will match and some will not (can't find any pattern)

I am wondering if there is some sort of cache limit we might be hitting?

fw tab -t dns_reverse_unmatched_cache -u -f
Using cptfmt
Formatting table's data - this might take a while...

-------- dns_reverse_unmatched_cache --------
htab_bl, id 7, size 28672, attributes: expire, no links, #vals 0 #slinks 0

fw ctl multik print_bl dns_reverse_cache_tbl
-------- dns_reverse_cache_tbl --------
htab_bl, id 8, size 28672, attributes: expire, no links, #vals 417 #slinks 0

Re: domain objects not always working

the_rock — Mon, 25 Sep 2023 02:11:55 GMT

Had customer with similar issue last year and TAC suggested cloudguard stop and cloudguard start commands on mgmt server and that fixed it. I cant quite connect the dots as to how logically that worked, but it did.

Andy

Re: domain objects not always working

Ryan_Ryan — Mon, 25 Sep 2023 04:31:32 GMT

thanks was worth a shot, but still doesn't work.

I did find sk145952 (although resolved) talks about some limitations when domains resolve to the same Ip, we definitely have that, and some IP resolving to multiple domains, but all our rules are allow so I don't think this is relevant.

Re: domain objects not always working

the_rock — Mon, 25 Sep 2023 11:44:36 GMT

Ok, understood. Yea, if you are on R80.40, I doubt that sk applies.

Andy