Apparently, there are DNS problems.

DanielJavier

Hi everyone.
I'm having the following issue, which you can see in the attached image. Attempts to the same destination are being both allowed and blocked. They fall under different rules, as if the domain object isn't detecting them.

Do you know what could be causing this?

Don_Paterson

Are you finding that the rule with the Domain object is not being matched when attempts are made to connect to the destination using the DNS names, but it is intermittent?

Those logs look around 1 hour apart, which makes it look like a 1 hour caching timeout but non-FQDN objects (Domain Objects) aren't cached for an hour they are resolved with DNS lookups (see below), and then held in a different cache by the looks of it.

Maybe a cache full problem..

Did you check on the gateways command line with nslookup or ping, and check the DNS configuration on the gateways?

Try this on the gateway in expert mode:

domains_tool -ip 54.166.251.207

These show table summaries (-s), and #VALS is current number of entries:

fw ctl multik print_bl dns_reverse_cache_tbl -s

fw ctl multik print_bl dns_reverse_unmatched_cache -s

fw ctl multik print_bl dns_reverse_domains_tbl -s

Also try hcp -r all

You may have to open a ticket with TAC if you can't see anything obvious and AWS isn't broken in some way (again).

From: https://support.checkpoint.com/results/sk/sk90401

Solution

The default TTL of the domain cache is 1 hour, which is being confirmed in sk120633 as:
The resolved IP addresses are cached, and traffic to those IP addresses are matched on the rule using that FQDN object. The timeout of the FQDN cache respects the TTL of the DNS. The default TTL of the domain cache is 1 hour. When an FQDN is sent for resolving, we add the response to cache for 60 minutes, we do not respect the actual TTL returned by the server.
Also the default TTL is confirmed in sk181215:
Check Point Security Gateway will resolve the FQDN against the DNS servers configured every 60 seconds, we will cache the new IP address resolved and update the TTL if the IP is already cached before. The default TTL of the domain cache is 1 hour.

Architecture

When a connection that traverses the Security Gateway is being evaluated against the rulebase, if the Unified Policy mechanism encounters a possible match that includes a Domain Object, the object must be resolved before a verdict can be reached.

If all Domain Objects in the Access Policy are in FQDN mode, the Security Gateway performs direct DNS resolution of each of the Domain Objects and caches the results

If any domain object is not FQDN, and the IP address isn't in the cache, the Security Gateway must perform a reverse DNS request to determine whether the IP belongs to the Domain Object.

The Time-to-Live (TTL) for FQDN cache is 60 minutes. When using FQDN mode, all Domain Objects are refreshed once per minute. To refresh the Domain Object resolution, the Security Gateway queries all defined DNS servers for both "domain.com" and "www.domain.com" from the Domain Object.

For FQDN queries that return multiple results, there is no individual limit on the number of cached IP addresses per Domain Object. The Security Gateway's full cache size for Domain Objects maxes out at 25000 entries.

If changes are made to the Security Gateway's defined DNS servers, the WSDNSD process must be restarted to apply the changes to the resolution of Domain Objects.

Troubleshooting

To observe Domain Object resolution, use the domains_tool command:

R81.10 and higher:
[Expert@SecurityGateway]# domains_tool {-ip <IP address> | -d <domain name> [ -m] | -uo <updatable object name> | -hc | -report }

R81 and lower:
[Expert@SecurityGateway]# domains_tool {-ip <IP address> | -d <domain name> [ -m] | -uo <updatable object name> }

For more information on how to use domains_tool, refer to sk161632.

Don_Paterson

There is this too:

https://support.checkpoint.com/results/sk/sk120633

the_rock

I believe the answer is "given" in your screenshots. Look at tne 2nd one you attached...clearly shows geo location, so please make sure you dont have geo policy where specific country is blocked.

Best,
Andy

Lesley

Is this not a better solution?

Check Point Updatable Objects are used for allowing or blocking network access (IP's/URL's) of known external services such as Office365 and Amazon Web Services.

This is performed dynamically and updated periodically from the service providers themselves, with no policy installation required.

Updatable Objects update occurs on first time initialization of the service or periodically (default: every hour).

Disable FQDN check box has an affect to increase the load on the gw. This is now also reported in HCP reports.

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock

I would agree.

Best,
Andy

Wolfgang

I always avoid using of none FQDN objects, they are not efficiently. Reverse dns lookups for a lot of packets results in latency. Use updatable objects instead.

If none FQDN objects really needed follow Domain Object Enhancement - DNS Passive Learning and activate DNS passive learning.

the_rock

In my personal experience, as long as there is not lots of those, its not too bad.

Best,
Andy

the_rock

Hey mate,

Were you able to figure this out?

Best,
Andy

Are you a member of CheckMates?