topic Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER; in General Topics

Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

Paul_Mainhardt1 — Tue, 04 Dec 2018 22:00:20 GMT

Hi,

fw ctl zdebug drop is showing this:

fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;

I have no idea what HTTP_DISPATCHER is, just that its being dropped by the Passive Streaming Layer.

Any ideas on what is causing these drops?

Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

PhoneBoy — Tue, 04 Dec 2018 23:16:08 GMT

Lots of things use PSL: App Control, IPS, Anti-Bot, and Anti-Malware among them.

The actual error messages might be helpful, but I suspect a TAC case might be in order.

Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

HeikoAnkenbrand — Wed, 05 Dec 2018 06:15:12 GMT

Hi Paul,

I think there is an TCP service protocol type problem after updating to R80.10/R80.20. I already had problems with supported protocol types after the update.

Symptoms

Database contains services with an unsupported protocol type. For a list of supported protocols, please refer to sk103595" error during upgrade to R80 / R80.10 / R80.20.

The following protocol types are supported in services in R80 / R80.10 / R80.20 versions:

...

HTTP
HTTP_DISPATCHER
HTTP_WEBSEC

...

Solution

- Disable the HTTP_DISPATCHER protocol type. However, this has an impact on the http security of the TCP service and IPS.

- Then I would open a TAC case as described from Dameon.

Look at this SK:

"Database contains services with an unsupported protocol type. For a list of supported protocols, please refer to sk1035…

What is PSL?

PSL is an infrastructure layer, which provides stream reassembly for TCP connections.
   - The gateway makes sure that TCP data seen by the destination system is the same as seen by code above PSL.
    - This layer handles packet reordering, congestion handling and is responsible for various security aspects of the TCP layer such as handling payload overlaps, some DoS attacks and others.
    - The PSL layer is capable of receiving packets from the firewall chain and from SecureXL module.
   - The PSL layer serves as a middleman between the various security applications and the network packets. It provides the applications with a coherent stream of data to work with, free of various network problems or attacks
   - The PSL infrastructure is wrapped with well defined APIs called the Unified Streaming APIs which are used by the applications to register and access streamed data

You can find more informations to PSL in my articles:

R80.x Security Gateway Architecture (Content Inspection)

R80.x Security Gateway Architecture (Logical Packet Flow)

Regards

Heiko

Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

PhoneBoy — Wed, 05 Dec 2018 17:35:55 GMT

I had considered this possibility (FYI) but I think HTTP_DISPATCHER is used in a few other contexts independent of a service definition.

Again, the actual messages from zdebug might provide some additional insight.

Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

Paul_Mainhardt1 — Fri, 07 Dec 2018 02:50:41 GMT

These are the actual error logs (replaced src and dst ip address with XXXX and YYYY):

;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 X.X.X.X:50421 -> Y.Y.Y.Y:8081 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 X.X.X.X:50421 -> Y.Y.Y.Y:8081 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;

Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

PhoneBoy — Fri, 07 Dec 2018 04:45:46 GMT

Please send a screenshot of your TCP service for port 8081.

Should look something like this:

Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

Paul_Mainhardt1 — Fri, 07 Dec 2018 05:05:22 GMT

I am also getting the exact same error for HTTPS traffic as well.

;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 X.X.X.X:49297 -> Y.Y.Y.Y:443 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;

I have also tried increasing the PSL buffer as per SK102455

# fw ctl get int psl_max_stream_segments
psl_max_stream_segments = 32772
# fw ctl get int psl_max_strip_window
psl_max_strip_window = 16780216

Screenshots Below:

Re: Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

PhoneBoy — Fri, 07 Dec 2018 05:18:08 GMT

Then it's probably an IPS or App Control signature that's triggering.

You can try updating to the latest IPS and App Control signatures and see if the issue goes away.

Otherwise, you should probably open a TAC case.