This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Justin_Hickey
Collaborator
‎2017-09-25 08:23 AM
Jump to solution

High Rate of DNS failures with SMTP Gateway

We have Proofpoint for SMTP protection services. Ever since implementing Checkpoint we've see this error message from Proofpoint:


Reputation Query DNS Error
PPS is encountering a high rate of failures when querying DNS to discover the Proofpoint reputation servers
[2017-09-25 11:12:04.221209 -0400] err src=filter eid=eid.filter.prs.locate mod=dns resolver=prs err="Connection timed out"

Proofpoint can and does query DNS records for all sorts of malicious domains and websites and I do see some messages in the logs about Checkpoint detecting, but allowing malicious DNS requests. 

"Connection was allowed because background classification mode was set. See sk74120 for more information."


But I also see a smattering of 'First packet isn't SYN' drops from Proofpoint to our DNS Server. This out of state stuff to me was always an indication of an upstream drop. 

Anyway, I dont know what to make of it but I cant seem to find a way to exclude Proofpoint for DNS Reputation checks, only individual Protection Names, ie Phishing ddjngz. I kind of need Proofpoint to do its job without Checkpoint interference. We never had this issue on previous Juniper firewalls. 

Any assistance is appreciated. Thanks,

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2017-09-25 10:53 PM
Jump to solution

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2017-09-25 10:53 PM
Jump to solution

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

0 Kudos
Justin_Hickey
Collaborator
‎2017-09-26 07:15 AM
Jump to solution

Thank you. I didnt get how to write exceptions for this but your screen shot led me to the correct solution. I created an exception rule, From my Proofpoints, To my dns servers, service DNS, permit. They have to process all kinds of nasty queries.  Many thanks. 

Justin

PhoneBoy
Admin
Admin
‎2017-09-26 08:16 AM
In response to Justin_Hickey
Jump to solution

I'm guessing you probably did something like this then (in Exceptions versus Policy, as I showed above):

If you used "Inactive" instead, I recommend using "Detect" instead.

It will give you additional visibility into what the Proofpoints are seeing (or possibly not seeing).

0 Kudos
Justin_Hickey
Collaborator
‎2017-09-26 03:44 PM
Jump to solution

That is exactly how I did it except as you suspected, I did the Inactive. I guess I see it as less overhead just to ignore it. Proofpoint is constantly resolving bad hostnames on purpose to check for their reputation. I dont know if I care to see it or have it fill up my logs. 

0 Kudos
Gaurav_Pandya
Advisor
‎2019-06-06 07:24 AM
In response to Justin_Hickey
Jump to solution

Hi,

We have same issue. Antivirus blade is allowing Malicious DNS request with protection type - DNS reputation & Protection family - Phishing. Message is "Connection was allowed because background classification mode was set".

Blade engine setting is already in "Hold" mode. DNS trap setting is enabled.

So just want to confirm that should I concentrate on the logs or just ignore.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events