Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Justin_Hickey
Collaborator
Jump to solution

High Rate of DNS failures with SMTP Gateway

We have Proofpoint for SMTP protection services. Ever since implementing Checkpoint we've see this error message from Proofpoint:


Reputation Query DNS Error
PPS is encountering a high rate of failures when querying DNS to discover the Proofpoint reputation servers
[2017-09-25 11:12:04.221209 -0400] err src=filter eid=eid.filter.prs.locate mod=dns resolver=prs err="Connection timed out"

Proofpoint can and does query DNS records for all sorts of malicious domains and websites and I do see some messages in the logs about Checkpoint detecting, but allowing malicious DNS requests. 

"Connection was allowed because background classification mode was set. See sk74120 for more information."


But I also see a smattering of 'First packet isn't SYN' drops from Proofpoint to our DNS Server. This out of state stuff to me was always an indication of an upstream drop. 

Anyway, I dont know what to make of it but I cant seem to find a way to exclude Proofpoint for DNS Reputation checks, only individual Protection Names, ie Phishing ddjngz. I kind of need Proofpoint to do its job without Checkpoint interference. We never had this issue on previous Juniper firewalls. 

Any assistance is appreciated. Thanks,

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

0 Kudos
Justin_Hickey
Collaborator

Thank you. I didnt get how to write exceptions for this but your screen shot led me to the correct solution. I created an exception rule, From my Proofpoints, To my dns servers, service DNS, permit. They have to process all kinds of nasty queries.  Many thanks. 

Justin

PhoneBoy
Admin
Admin

I'm guessing you probably did something like this then (in Exceptions versus Policy, as I showed above):

If you used "Inactive" instead, I recommend using "Detect" instead.

It will give you additional visibility into what the Proofpoints are seeing (or possibly not seeing).

0 Kudos
Justin_Hickey
Collaborator

That is exactly how I did it except as you suspected, I did the Inactive. I guess I see it as less overhead just to ignore it. Proofpoint is constantly resolving bad hostnames on purpose to check for their reputation. I dont know if I care to see it or have it fill up my logs. 

0 Kudos
Gaurav_Pandya
Advisor

Hi,

We have same issue. Antivirus blade is allowing Malicious DNS request with protection type - DNS reputation & Protection family - Phishing. Message is "Connection was allowed because background classification mode was set".

Blade engine setting is already in "Hold" mode. DNS trap setting is enabled.

So just want to confirm that should I concentrate on the logs or just ignore.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events