topic Re: Traffic dropped with message information: "Rulebase Internal Error" in Firewall and Security Management

Traffic dropped with message information: "Rulebase Internal Error"

Michael_Horne — Fri, 18 Oct 2019 11:26:22 GMT

Hello,

We have are having some traffic that is being dropped with the message information: "Rulebase Internal Error"

As of yet I have not found any information related to what this message and how it can be remedied.

Normally this traffic should be allowed, but because of the issue, it appears the traffic is being dropped.

Has anyone have any information that might help in resolving this or might aid the invesitgation?

Many thanks,

Michael

Re: Traffic dropped with message information: "Rulebase Internal Error"

PhoneBoy — Fri, 18 Oct 2019 12:41:31 GMT

I suspect a TAC case is in order here.
What does fw ctl zdebug drop | grep x.y.z.w show? (Where x.y.z.w is the IP in question)

Re: Traffic dropped with message information: "Rulebase Internal Error"

Ilmo_Anttonen — Wed, 04 Dec 2019 12:46:40 GMT

I'll pick this up where you left off, since I've observed the same issue. Here's the output of my zdebug:

@;293891;[cpu_1];[fw4_2];[<internal-IP>:34476 -> 194.29.39.27:443] [ERROR]: up_rulebase_should_drop_possible_on_SYN: conn dir 0, <internal-IP>:34476 -> 194.29.39.27:443, IPP 6 required_4_match = 0x4003002, not expected required_4_match = 0x3000;
@;293891;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 <internal-IP>:34476 -> 194.29.39.27:443 dropped by fw_send_log_drop Reason: Rulebase drop - NO MATCH;

This is my mgmt server and that destination is productservices.checkpoint.com. It cannot pull updates from that IP-address. The mgmt server has two interfaces. One in a mgmt network and the other in a server network. The mgmt network interface is the one on the SmartConsole object. Both interfaces are directly connected to the FW appliance.

The rulebase allows both interfaces to communicate with checkpoint services.
I want the mgmt server to fetch updates and communicate with checkpoint on the interface in the server network, but it desires to do so over the mgmt interface. On the mgmt serer, I then added a default route with lower prio for the server network interface. That's when it stopped receiving updates because of this "rulebase internal error" drop.

Removing the the route fixes everything, but then I have the original problem again. Does the gateway mess up routing somehow or why is this happening?

I don't know if maybe OP has a similar problem; a host with multiple interfaces.

The environment I'm running here is R80.30 with jhf take 111 on both mgmt and appliance. It's been the same throughout all R80.30 iterations at least.

Re: Traffic dropped with message information: "Rulebase Internal Error"

PhoneBoy — Thu, 05 Dec 2019 00:09:14 GMT

This is definitely TAC case territory as I'm not aware that we should be forcing traffic through a specific interface.

Re: Traffic dropped with message information: "Rulebase Internal Error"

Ilmo_Anttonen — Thu, 05 Dec 2019 07:25:02 GMT

Thanks for the input. I'll submit a case once they solve the current case I have with them 😔

Re: Traffic dropped with message information: "Rulebase Internal Error"

Alex_Shpilman — Tue, 04 Feb 2020 05:36:55 GMT

Hi @Ilmo_Anttonen

Did you ever get this resolved?

I am having the same issue with R80.30 HFA 111 but only when adding a new rule with an access-role.

Got a TAC case opened with no progress so far.

Regards

Re: Traffic dropped with message information: "Rulebase Internal Error"

Ilmo_Anttonen — Thu, 06 Feb 2020 17:31:39 GMT

Unfortunately I have not yet solved the previous issue with the support so I have not proceeded with this yet. I solved it by just reverting to as it was before. Meaning the traffic to Internet is exiting the wrong way. But thanks for reminidng me, I hade forgotten about this because of the long wait 🙂

Re: Traffic dropped with message information: "Rulebase Internal Error"

Rabindra_Khadka — Tue, 01 Dec 2020 15:07:22 GMT

Dear @Michael_Horne

How did you resolve this issue? can you please share the solution?

@PhoneBoy I am also facing the same issue, have you got any idea regarding the solution to this issue?

Please share with us if you have any.

Thank You,

Re: Traffic dropped with message information: "Rulebase Internal Error"

PhoneBoy — Tue, 01 Dec 2020 16:54:28 GMT

Open a TAC case, as suggested previously.

Re: Traffic dropped with message information: "Rulebase Internal Error"

Alexander_Wilke — Thu, 20 Feb 2025 08:04:26 GMT

Hello,

I know this is an old issue. However it is still present in R81.10 Jumbo HFA Take 150 in february 2025.
We had this issue in the past and TAC could not find the root cause.

we had it on a 64k and "asg_policy verify -v" should correct policy - however an immediate additional policy Install after the error occured only on 1 of 5 SGMs the issue was solved. And it started immediately after the first Policy Install.

So I suspect a Policy Install mechanism error and to solve it another Policy Install helps.
However this leads to business impact and tells me that this issue is not solved since 2019 undtil 2025.