This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-16 02:03 AM
Jump to solution

Domain objects in R80.10 spamming DNS

Just wondering if anyone else has noticed if you are using domain objects (new type)

I noticed high amount of Block / Alert logs on the gateway complaining it was not able to resolve DNS even though DNS is responding OK. 

When I run tcpdump I noticed that firewall sends DNS requests for each domain object in big batches (multiple requests for the same name within 100ms). So there are hundreds of DNS requests spat out every 30 secs for 20 domain objects so I'm not surprised if some are not answered.

I have not raised SR yet - just wondering if it's "known" issue? We are on take 121.

There is one SK that matches symptoms but that should have been fixed in take 42

"Firewall - Domain resolving error. Check DNS configuration on the gateway." log for blocked HTTP tr... 

1 Solution

Accepted Solutions
Meital_Natanson
Employee
Employee
‎2018-08-30 06:07 AM
Jump to solution

Hi,

This is a known issue, solved in R80.10 JHF T142.

It will happen when using large amount of domain objects in policy.

Please contact support (& CFG) if you need the fix on top of earlier JHF take.

Thanks,

Meital

View solution in original post

9 Replies
_Val_
Admin
Admin
‎2018-08-16 02:40 AM
Jump to solution

Hi, it seems RAD cache is not okay. Please do open a support ticket for proper diagnostics

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-16 02:59 AM
Jump to solution

Are you using None-FQDN mode (sk120633) ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-16 03:37 AM
In response to G_W_Albrecht
Jump to solution

It's the R80.10 FQDN type objects. Using old makes no sense Smiley Happy

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-16 03:42 AM
In response to Kaspars_Zibarts
Jump to solution

I second that 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-17 05:55 AM
Jump to solution

SR is still under investigation but someone else is bored, you may check if your gateway is sending malformed truncated DNS requests using TCP - has all domain objects included multiple times but most importantly packet format is wrong. Our DNS just replies as malformed packet, no results. Seems to match Blocked traffic in logs

0 Kudos
Meital_Natanson
Employee
Employee
‎2018-08-30 06:07 AM
Jump to solution

Hi,

This is a known issue, solved in R80.10 JHF T142.

It will happen when using large amount of domain objects in policy.

Please contact support (& CFG) if you need the fix on top of earlier JHF take.

Thanks,

Meital

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-30 06:13 AM
In response to Meital_Natanson
Jump to solution

Thanks heaps Meital! Strangely enough case engineer just asked me for more debugs and logs instead of suggesting this...

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-30 06:21 AM
In response to Kaspars_Zibarts
Jump to solution

Haha - I didn't realise that you were from R&D .. Just had a call from case engineer. All good - we'll try one cluster in next couple of days! Thanks again!

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-09-05 03:58 AM
Jump to solution

One last update - finally we rolled out take 142 last night in production: 2 VSX clusters and one non-VSX. All looking great so far, all block logs gone!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events