This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Florian_Maier
Participant
‎2020-03-05 06:50 AM

cluster xl 80.40 - trouble with external dns querys

Hi i have upgraded a Cluster XL to 80.40

this cluster works only as firewall (NGTP or NGTX isn't active)

in the smartconsole is all green.

 

dns query from internal to external doesn't work when secure xl is enabled.

if i disable secure xl the dns querys are working.

 

have anyone the same problem?

how can i solve this? (have to wait for a new hotfix?)

 

thanx all, regards

flo

6 Replies
PhoneBoy
Admin
Admin
‎2020-03-07 05:18 PM

If disabling SecureXL "solves" a problem, it's a bug.
Open a TAC case, please.
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-03-08 10:28 AM

I had the same problem. But there is a solution to bypass the DNS server IP. You can bypass SecureXL (green flow in the picture) as described. This will use the F2F path instead of the acceleration path. 

Screenshot_20200308-183104_Edge.jpg

How to disable SecureXL for specific IP addresses? Edit the relevant table.def file, define the DNS Server IP addresses, whose traffic should not be accelerated. You can find more on this topic in this sk104468.

More read here:
- R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Paths
- R80.x - Security Gateway Architecture (Logical Packet Flow)

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2020-03-08 05:34 PM
In response to HeikoAnkenbrand

Obviously that's a workaround, but we should find out why we need to disable SecureXL for this.
0 Kudos
chris_denham
Explorer
‎2020-03-11 07:07 PM
In response to PhoneBoy

Experiencing the same issue after upgrading a Cluster to R80.40.

 

Interestingly the DNS traffic goes through 2 x Clusters and the issue goes away after disabling SecureXL on one of them.

 

We are using a bind DNS server, same issue using forwarders or root hints.

 

Looks like the DNS reply packet is sent twice on the egress interface from the gateway, but is never visible in a tcpdump on the DNS server itself.

0 Kudos
chris_denham
Explorer
‎2020-03-11 08:07 PM
In response to PhoneBoy

Also managed to get this working by enabling the IPS blade (previously had firewall + IA + Mobile access only).

 

fwaccel conns now shows the inbound and outbound connections with the 'S' flag (PXL enabled).

Florian_Maier
Participant
‎2020-03-26 08:57 AM
In response to chris_denham

@chris_denham 

works

but it's only a workaround.

any updates?

regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events