- Products
- Learn
- Local User Groups
- Partners
- More
Introduction to Lakera:
Securing the AI Frontier!
Quantum Spark Management Unleashed!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi all,
I noticed that some of the websites that I visit daily need a very long time until the first content shows up in the browser. I run a tcpdump on my client, the LAN and the WAN site of our perimeter firewall to analyze the cause of the delay.
The SYN packet from my client hits the LAN interface of the firewall after 1-3ms. But the outgoing SYN on the WAN site of our firewall appears 5-6 seconds later.
The logs in the SmartConsole draws a different picture: the incoming and outgoing SYN appear in the log at the same second, which is exactly the time where the outgoing SYN appears in the packet capture on the WAN interface.
This happens for all tested sites
The CA list on the gatewway is up to date and complete.
Any thoughts what or which blade could cause the delay?
Could a WSTLSD daemon debug help?
Jas Man
If still no joy, please post the output of enabled_blades run from the gateway along with your code and JHFA level.
The defined DNS sever are responding immediatly and correct.
HTTP/HTTPS Proxy is disabled.
The delay is not caused by any TLS-related issue, because the delay happens during the first SYN.
Enabled blades: fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot mon
I'll try to disable the AntiBot blade later. It's currently not possible.
Is it same on every browser? If so, you can always try use secure DNS setting, see if it makes any difference. I believe in every browser, there are few options, ie google dns, cloud flare, etc.
Andy
Yes it happens in all browsers. DNS seems to be fine, because the delay happens during the SYN at the perimeter firewall on the outgoing interface.
"Unfortunately" categorization is already set to "Background".
K, then maybe disabling AB blade is not a bad idea.
Andy
My guess is still something with the two new DNS protections in Anti-bot. Unfortunately, granular control of these features is not exposed in R81.20, but it is possible to toggle these two DNS protections in R82 individually without completely disabling Anti-bot. Also see the discussion of "dns=bg" here: sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, ...
The fact that websites perform fine for 60 minutes after the initial delay in access, and then the initial delay returns after 60 minutes again, screams some kind of cache issue to me, possibly CRL/OCSP, but it seems too early in the connection for that. Are you using FQDN Domain objects in your Access Control policy or HTTPS Inspection policy? The cache timer for domain entries is 60 minutes, so I'm wondering if when that expires, there is a long delay having to retrieve the FQDN again and get it in the cache, but then once the site's domain gets into the cache, life for that site is good for 60 minutes, until it times out of the cache and the gateway has to retrieve it again, which causes the delay.
Is DNS traffic subject to Geo Policy or Geo Updatable object blocking for any countries? If Cloudflare's initial servers are located in a prohibited country it may take awhile before your DNS resolver hits upon a server that is in an allowed country and not blocked.
I fully aggree with you. It must have to do with a caching function. And AntiBot sound to be a valid culprit. Will test to toggle the protection settings. But not on a Friday....you know why 🙂
The responsible policies are not using FQDN domain objects.
As far as I know there's no geo-based policy and/or object. But I've to check this.
DNS was my favorite suspect at first.
I've captured all DNS queries on the firewall during the issue happened to check the DNS response times. But there was no query for the affected domain.
I would guess that the gateway doesn't do DNS queries for HTTP/HTTPS connection. Because the client already resolved the domain to an IP address. The firewall get the connection request from the client to the public IP address. There's no need for the firewall to resolve any domain. And when it comes to HTTPS inspection the firewall can get the URL out of the SNI.
Does it makes sense?
It's not clear if wstlsd is relevant here since this problem is happening on the SYN (which has no data for wstlsd to work with).
I would get TAC involved.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
15 | |
12 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
Tue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureTue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFTue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY