cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Yonghao_Gao
Nickel

smartlog too many logs:Non Compliant DNS

There are too many below logs in smartlog everyday.This caused a lot of confusion,I think these logs are useless.Does anyone else have this confusion? How to deal with this problem?Thanks!

4 Replies
Danny
Pearl

Re: smartlog too many logs:Non Compliant DNS

When your evaluation results that these messages are useless then create an IPS exception from your internal networks for this specific IPS protection type.

0 Kudos
Employee+
Employee+

Re: smartlog too many logs:Non Compliant DNS

Hello 56aea48b-b5d0-442c-bce7-6bf75bbc04f5,

I suggest you to investigate the root cause of these logs. The "Capture Packets" feature can be enabled for this Protection and it should help you to analyze the "problematic" traffic.

You can found the "Non Compliant DNS protection" under "Manage&Settings -> General -> Inspection Settings" section.

I advice to disable the capturing after your investigation will finish. 

P.S Could you help me to understand, your name looks in the CheckMates as "56aea48b-b5d0-442c-bce7-6bf75bbc04f5". Is this expected? Smiley Happy

0 Kudos

Re: smartlog too many logs:Non Compliant DNS

I would agree that this does not appear to be an issue with Check Point but rather an issue with your environment, the firewalls are just reporting what they are seeing. You could create an exception to allow the traffic. It may be related to DNS Flag Day, similar symptoms described in sk112578.

0 Kudos
Employee+
Employee+

Re: smartlog too many logs:Non Compliant DNS

Yes, I agree with Alejandro, that these drops can be related to sk112578 if your GW is R77.X. You can capture the dropped packets (as I described above) and take a look the "Z" and "ENDS version" fields. 

If you see, that packets which were dropped include non-zero parameters in these fields, means the issue is sk112578 related. If the GW is R77.30, the drops should disappear after installation of the Jumbo Hotfix Take_345

If the issue isn't related to the sk112578 I still suggest to investigate the drops and "problematic" DNS traffic.

Regards,

Dmitry