topic Re: Legitimate traffic being blocked - R80.20 in Firewall and Security Management

Legitimate traffic being blocked - R80.20

Rafael_Lima1 — Wed, 27 Feb 2019 00:03:07 GMT

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:

@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabled

We opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.

The traffic is from an apache server to an nginx, TCP / 443

Anyone else went through this and could help?

Re: Legitimate traffic being blocked - R80.20

G_W_Albrecht — Wed, 27 Feb 2019 10:46:24 GMT

sk109777 give the sk33328 - How to clear $FWDIR/state/ directory to resolve policy corruption issues as the solution. If this has only resolved parts of your issue, the reason could not be file corruption only ! In sk97876, there is a known issue with CP versions < R77.20 - but that is unsuppported by now. What version do you use ?

Re: Legitimate traffic being blocked - R80.20

Rafael_Lima1 — Wed, 27 Feb 2019 11:20:32 GMT

Hi,

Running sk33328 has not changed anything in behavior, it is occurring in the same way.

Environment:
Check Point's software version R80.20 - Build 255
kernel: R80.20 - Build 014
JHF Take: 17
OpenServer R730

Re: Legitimate traffic being blocked - R80.20

G_W_Albrecht — Wed, 27 Feb 2019 11:57:29 GMT

Then i would involve TAC even more ! JHF Take: 17 is the GA from 8.1.19 - current GA is 33, Ongoing Take 47, so that installing a newer Jumbo would be the first suggestion !

What do you mean by OpenServer R730 ? R77.30 GWs Jumbo Take ... ?

Re: Legitimate traffic being blocked - R80.20

Rafael_Lima1 — Wed, 27 Feb 2019 12:18:15 GMT

We already have SR open, but have a few days without an answer.  No, it's the server model, Dell PowerEdge R730.

Re: Legitimate traffic being blocked - R80.20

Rafael_Lima1 — Wed, 06 Mar 2019 21:36:37 GMT

We installed JHF 33, but the problem still continues.

Re: Legitimate traffic being blocked - R80.20

Cesar_Almada — Mon, 20 May 2019 17:20:20 GMT

i have the jumbo hotfix accumulator take 47
but the problem persist

Re: Legitimate traffic being blocked - R80.20

Timothy_Hall — Mon, 20 May 2019 22:36:36 GMT

Part of your error message is F2P which is "Forward to PSL" in R80.20, which I think is SecureXL dumping the inspection for that connection up to a worker core and it can't. Either this is some kind of bug with handling the connection, or it could be similar to an "instance is fully utilized" situation encountered in R80.10 and earlier like this: sk61143: Traffic is dropped by CoreXL with "fwmultik_inbound_packet_from_dispatcher Reason: Instance is currently fully utilized"

What is your CoreXL split (fw ctl affinity -l -r) and do these drops tend to occur when one or more of your Firewall worker/instances are at 100% CPU? You might need more of them if so...

Re: Legitimate traffic being blocked - R80.20

tpoole_global — Mon, 20 May 2019 23:22:27 GMT

pls open a TAC case to verify

Re: Legitimate traffic being blocked - R80.20

Chris_Wilson — Wed, 03 Jul 2019 21:23:44 GMT

So, what was the resolution here?

Re: Legitimate traffic being blocked - R80.20

ThomasH — Wed, 10 Jul 2019 11:49:47 GMT

Hi,

we had the same issue. Solution was to downgrade the gateway (appliance) back to R80.10.

Re: Legitimate traffic being blocked - R80.20

Rene_Rosenkrant — Fri, 09 Aug 2019 09:34:23 GMT

I see drops of return trafic similar to this on Jumbo 87. I will open a case now.

Re: Legitimate traffic being blocked - R80.20

Muazzam — Tue, 13 Aug 2019 18:13:25 GMT

I have the same issue, R80.20 T47 - Hardware 13800.

I am assuming this starts after the upgrade R77.30 >> R80.20, because a similar (function) firewall with R77.30 does not have this issue but the R77.30 firewall has a very low load, so not 100% sure.

Overall none of the SND / worker CPU's are not showing spikes - firewall is not overloaded.

We were recommended SK150933 - increase value of psl_max_future_segments from 8 to 16G. I want to make sure about this issue before jumping to the solution.

Re: Legitimate traffic being blocked - R80.20

Muazzam — Tue, 13 Aug 2019 18:53:55 GMT

Can you share any other update?

Did you look at sk150933?

Thank You

Re: Legitimate traffic being blocked - R80.20

Chris_Wilson — Tue, 13 Aug 2019 19:04:22 GMT

I opened a case. Running R80.20 we went to Take 87, and then TAC gave us a hotfix - fw1_wrapper_HOTFIX_R80_20_JHF_T87_183_MAIN_GA_FULL.tgz for the fwpslglue_chain Reason: PSL Reject: internal - reject enabled; errors.

Re: Legitimate traffic being blocked - R80.20

Michael_Horne — Wed, 14 Aug 2019 13:11:18 GMT

Hello,

Does anyone know if this hotfix "fw1_wrapper_HOTFIX_R80_20_JHF_T87_183_MAIN_GA_FULL.tgz" will be integrated into next released Jumbo hotfix, as I also have this issues with "fwpslglue_chain Reason: PSL Reject: internal - reject enabled" for FTP traffic on R80.20.

Many thanks,

Michael

Re: Legitimate traffic being blocked - R80.20

Radu_Dr — Tue, 20 Aug 2019 10:35:10 GMT

IPS-Exceptions "solved" the issue... Increasing the psl_max_future_segments had no positive effect to the droped traffic.

Re: Legitimate traffic being blocked - R80.20

AntonMakarychev — Mon, 07 Oct 2019 13:25:59 GMT

Hello,

We have the same problem. R80.20 gateways with take 91. If we disable Anti-Virus blade - everything works.

Exceptions don't work.

Re: Legitimate traffic being blocked - R80.20

bign — Thu, 07 Nov 2019 13:31:23 GMT

Same problem with fwpslglue and fwmultik_process dropping packets, only our error is due to "internal streaming."

Occurred after R80.20 upgrade, Take 101.

We tried increasing PSL buffer and this only solved the problem for a few days. No antivirus blade is in use. No IPS detects on this "internal streaming" activity are being logged, so I don't see what exception can be added.

We are going to try disabling CoreXL today.

Re: Legitimate traffic being blocked - R80.20

Khalid_Aftas — Sat, 02 May 2020 16:31:06 GMT

Did you fix the issue with that hotfix ?

We have the same error with r80.30 latest GA.