This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2020-06-04 03:04 AM

DNS Reverse traffic is getting dropped

Hi,

This is checkpoint clusterXL in load sharing mode and its still on R77.30. We have our NS servers configured behind firewall, however recently we started observing lot of SERVFAIL messages on DNS server and hence started troubleshooting. Eventually when we done fw ctl zdebug drop we found that server when sending Recusrsive queries to Root Hint server the response is getting dropped on Stealth rule.

Surprisingly why it would drop response from Root Hint servers. Now there are not blades running on firewall but only fw. No IPS/AMW nothing.

Here are the logs - and a.b.c.d is my Natted Public IP of my DNS server. Rule #47 is a stealth rule

4Jun2020 15:07:44.407985;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=17 103.204.163.83:48073 -> a.b.c.d:53 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 47;
4Jun2020 15:07:44.423727;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=17 103.204.163.80:47955 -> a.b.c.d:53 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 47;
4Jun2020 15:07:44.426534;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 103.204.163.66:45982 -> a.b.c.d:53 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 47;
4Jun2020 15:07:44.450732;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 103.204.163.65:42568 -> a.b.c.d:53 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 47;

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
4 Replies
PhoneBoy
Admin
Admin
‎2020-06-07 08:05 PM

I'd try: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Note that even with IPS inactive, some of the protections under IPS are actually firewall protections.
Blason_R
Leader
Leader
‎2020-06-09 10:42 AM
In response to PhoneBoy

Any way we figured that out and that is due to ClusterXL load sharing and wrong switch configuration.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
kb1
Collaborator
‎2020-06-09 03:31 PM
In response to Blason_R

Hi so you are saying it was a wrongly configured switch that was causing the drops?
Blason_R
Leader
Leader
‎2020-06-09 08:56 PM
In response to kb1

Yes this is what there network team told me. Sicne I do not have access to those switches if pretty tough to say what changes they made 😞

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events