cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

High Rate of DNS failures with SMTP Gateway

Jump to solution

We have Proofpoint for SMTP protection services. Ever since implementing Checkpoint we've see this error message from Proofpoint:


Reputation Query DNS Error
PPS is encountering a high rate of failures when querying DNS to discover the Proofpoint reputation servers
[2017-09-25 11:12:04.221209 -0400] err src=filter eid=eid.filter.prs.locate mod=dns resolver=prs err="Connection timed out"

Proofpoint can and does query DNS records for all sorts of malicious domains and websites and I do see some messages in the logs about Checkpoint detecting, but allowing malicious DNS requests. 

"Connection was allowed because background classification mode was set. See sk74120 for more information."


But I also see a smattering of 'First packet isn't SYN' drops from Proofpoint to our DNS Server. This out of state stuff to me was always an indication of an upstream drop. 

Anyway, I dont know what to make of it but I cant seem to find a way to exclude Proofpoint for DNS Reputation checks, only individual Protection Names, ie Phishing ddjngz. I kind of need Proofpoint to do its job without Checkpoint interference. We never had this issue on previous Juniper firewalls. 

Any assistance is appreciated. Thanks,

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

View solution in original post

0 Kudos
5 Replies
Highlighted
Admin
Admin

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

View solution in original post

0 Kudos
Highlighted

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

Thank you. I didnt get how to write exceptions for this but your screen shot led me to the correct solution. I created an exception rule, From my Proofpoints, To my dns servers, service DNS, permit. They have to process all kinds of nasty queries.  Many thanks. 

Justin

Highlighted
Admin
Admin

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

I'm guessing you probably did something like this then (in Exceptions versus Policy, as I showed above):

If you used "Inactive" instead, I recommend using "Detect" instead.

It will give you additional visibility into what the Proofpoints are seeing (or possibly not seeing).

0 Kudos
Highlighted

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

That is exactly how I did it except as you suspected, I did the Inactive. I guess I see it as less overhead just to ignore it. Proofpoint is constantly resolving bad hostnames on purpose to check for their reputation. I dont know if I care to see it or have it fill up my logs. 

0 Kudos
Highlighted

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

Hi,

We have same issue. Antivirus blade is allowing Malicious DNS request with protection type - DNS reputation & Protection family - Phishing. Message is "Connection was allowed because background classification mode was set".

Blade engine setting is already in "Hold" mode. DNS trap setting is enabled.

So just want to confirm that should I concentrate on the logs or just ignore.

0 Kudos