This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paul_Mainhardt1
Participant
‎2018-12-04 02:00 PM

Traffic dropped by Reason: PSL Drop: HTTP_DISPATCHER;

Hi,

fw ctl zdebug drop is showing this:

fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;

I have no idea what HTTP_DISPATCHER is, just that its being dropped by the Passive Streaming Layer.

Any ideas on what is causing these drops?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2018-12-04 03:16 PM

Lots of things use PSL: App Control, IPS, Anti-Bot, and Anti-Malware among them.

The actual error messages might be helpful, but I suspect a TAC case might be in order.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-12-04 10:15 PM

Hi Paul,

I think there is an TCP service protocol type problem after updating to R80.10/R80.20. I already had problems with supported protocol types after the update.

Symptoms

Database contains services with an unsupported protocol type. For a list of supported protocols, please refer to sk103595" error during upgrade to R80 / R80.10 / R80.20.

The following protocol types are supported in services in R80 / R80.10 / R80.20 versions:

...

  • HTTP
  • HTTP_DISPATCHER
  • HTTP_WEBSEC

...

Solution

- Disable the HTTP_DISPATCHER protocol type. However, this has an impact on the http security of the TCP service and IPS.

- Then I would open a TAC case as described from Dameon.

Look at this SK:

"Database contains services with an unsupported protocol type. For a list of supported protocols, pl... 

What is PSL?

PSL is an infrastructure layer, which provides stream reassembly for TCP connections.
   -  The gateway makes sure that TCP data seen by the destination system is the same as seen by code above PSL.
    - This layer handles packet reordering, congestion handling and is responsible for various security aspects of the TCP layer such as handling payload overlaps, some DoS attacks and others.
    - The PSL layer is capable of receiving packets from the firewall chain and from SecureXL module.
   -  The PSL layer serves as a middleman between the various security applications and the network packets. It provides the applications with a coherent stream of data to work with, free of various network problems or attacks
   -  The PSL infrastructure is wrapped with well defined APIs called the Unified Streaming APIs which are used by the applications to register and access streamed data

You can find more informations to PSL in my articles:

R80.x Security Gateway Architecture (Content Inspection) 

R80.x Security Gateway Architecture (Logical Packet Flow) 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2018-12-05 09:35 AM
In response to HeikoAnkenbrand

I had considered this possibility (FYI) but I think HTTP_DISPATCHER is used in a few other contexts independent of a service definition.

Again, the actual messages from zdebug might provide some additional insight.

Paul_Mainhardt1
Participant
‎2018-12-06 06:50 PM
In response to PhoneBoy

These are the actual error logs (replaced src and dst ip address with XXXX and YYYY):

;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 X.X.X.X:50421 -> Y.Y.Y.Y:8081 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 X.X.X.X:50421 -> Y.Y.Y.Y:8081 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-06 08:45 PM
In response to Paul_Mainhardt1

Please send a screenshot of your TCP service for port 8081.

Should look something like this:

0 Kudos
Paul_Mainhardt1
Participant
‎2018-12-06 09:05 PM
In response to PhoneBoy

I am also getting the exact same error for HTTPS traffic as well. 

;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 X.X.X.X:49297 -> Y.Y.Y.Y:443 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;

I have also tried increasing the PSL buffer as per SK102455

# fw ctl get int psl_max_stream_segments
psl_max_stream_segments = 32772
# fw ctl get int psl_max_strip_window
psl_max_strip_window = 16780216

Screenshots Below:

TCP 8081

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-06 09:18 PM
In response to Paul_Mainhardt1

Then it's probably an IPS or App Control signature that's triggering.

You can try updating to the latest IPS and App Control signatures and see if the issue goes away.

Otherwise, you should probably open a TAC case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events